• SOFTWARE DEVELOPMENT 




The Industry Newspaper for Software Development Managers 



TURNING ARCHITECURE 

INTO A PROFESSION 

The Open Group hopes that certification 
will demonstrate experience, skills 





ISSUE NO. 118 


Zend Launches PHP 
Runtime Platform 


3 


Government Task Force 
Recommends Ways To 
Improve Software Security 


.3 


Instant Messaging 

In the Enterprise 


4 


It's Dullsville At 

The JTC Party 


4 


Clustering in Orbix 6.2 
Gangs Up on Security . . . 


6 


Education Is On 

The Agenda for 2005 


7 


Sunopsis: Not Just 

ETL Anymore 


a 


Computer Pioneer 
David J. Wheeler Dies . . . 


a 


Traceability Matrix, Policy 
Engine New to Speedev . 


.11 


LinuxWorld Follows 
Migration North 


1? 


Web Services Edge 
Looks Sharper 


1? 


Tester Builds Scripts 
From Requirements 


14 


Pantero Adds Semantic 
Integration 


1F> 


Palm OS To 

Run on Linux 


19 


COLUMNISTS 


HOLUB: 

Teach Your 
Programmers Well 


?9 


BINSTOCK: 

Blind Spots And 
Frequent Testing 


31 


O'BRIEN: 

Search and Delay 


.33 


RUBINSTEIN: 

The Importance 

Of Training 


34 


A PUBLICATION 


$7.95 


www.sdtimes.com 



BY DAVID RUBINSTEIN 

In an effort to bring under- 
standing to what the skill set of 
a software architect should 
entail, The Open Group last 
month announced it would 
begin a certification program 
that it hopes will establish a 
baseline for the industry. 

At the urging of sponsors 
Hewlett-Packard and IBM, The 
Open Group hopes to establish 
criteria and have the program in 
place by midyear, said James de 
Raeve, the organization's vice 
president of certification. The 
criteria will be defined by the 
groups membership. 



"It's about taking a craft and 
turning it into a profession," he 
said. "It's not something you do 
overnight, but it's where the 
industry needs to go." 

The Open Group is a vendor 
consortium sponsored by Fujit- 
su, HP, Hitachi, IBM and Sun 
that's focused on certification 
and conformance testing for 
platform interoperability. 

While declining to discuss 
specifics of the program just yet, 
de Raeve did say architects will 
have to show they have a body 
of experience and that they're 
capable of deploying an as-yet- 
► continued on page 17 



W3C Specifies 
Architecture 
For Whole Web 

Group also explores binary XML 



resent 



BY YVONNE L. LEE 

A group of Internet pioneers 
has attempted to head off dis- 
agreements by circling the 
wagons and issuing the defini- 
tive word on how the Web 
should run. 

That group is a branch of the 
World Wide Web Consortium 
(W3C) called the Technical 
Architecture Group (TAG). It 
includes Web creator Tim 
Berners-Lee and eight mem- 
bers who have been working 
on key technologies 
almost from the 
Web's inception. 

The document, 
Architecture of the 
World Wide Web 
(AWWW) Volume 
One, is the consen- 
sus at which these 
men have arrived 
concerning the Web's 
core design. Those 

design elements are Some Web technologies 
how to identify re- don't integrate well, 
sources, how to rep- says the W3C's Jacobs. 




the state of the 
resources, and how to interact 
with the elements. It has the 
status of a recommendation, 
which is the W3C's terminology 
for a reviewed and ratified 
specification. 

"One of the reasons [the 
TAG] was created was there 
were a number of disagreements 
in W3C where two working 
groups disagreed about some- 
thing they had in common," 
explained Ian Jacobs, head of 
W3C communica- 
tions and co-author 
of the document. 

Other members 
of the TAG are 
XML originator Tim 
Bray; Dan Connolly, 
who helped create 
HTML 2.0; Paul 
Cotton of Microsoft; 
Roy Fielding, one of 
the primary authors 
of the Universal 
Resource Identifier 
► continued on page 17 



Modernizing the Mainframe 

Web services drive integration into the glass house 



BY JENNIFER DEJONG 

From SOAP to SOA, from 
XML to WSDL— the story of 
how Web services are emerging 
gets a lot of ink. 

But not so often told is the 
tale of how Web services are mod- 
ernizing the aging mainframe. 

As an integration technolo- 
gy, Web services are all but 
doing away with the need for 
specialized tools that connect 
Java, .NET and other applica- 
tions running on smaller servers 
to those that reside on the mas- 
sive computers that have been 
around since the 1950s. 



"We are seeing a move away 
from integration adapters, 
toward Web services," said 
Mark Cresswell, CEO of Neon 
Systems, a Sugar Land, Texas- 
based company that has been in 
the mainframe integration busi- 
ness for 10 years. "The histori- 
cal model for getting at main- 
frame assets was expensive and 
difficult to implement," he said. 
"Only the most committed have 
realized the value of integrating 
with that environment." 

Neon and odier players in the 
mainframe tool market still sell 
traditional "tightly coupled" inte- 
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gration adapters, also known as 
connectors or host access tools. 
But because such offerings are 
aimed at developers schooled in 
the intricacies of the mainframe 
subsystems they are linking to 
(such as CICS or IMS), integra- 
tion vendors are pushing their 
newer offerings based on Web 
services. Such tools open up 
mainframe applications and data 
to a far wider pool of developers, 
who don't have big systems 
expertise. "The developer deliv- 
ering Web apps should be con- 
cerned with the intricacies of the 
► continued on page 17 



.1 



f M 



s. 



SCOsource 
Now a Drop 
In the Bucket 

BY YVONNE L. LEE 

It came down to basic arith- 
metic. Decreasing revenue 
from its SCOsource licensing 
program plus increasing costs 
equaled another bad quarter 
for The SCO Group. 

The bottom line was a more 
than quadrupled quarterly loss 
of US$6.5 million and an annu- 
al loss of $23.3 million com- 
pared with a profit of $5.4 mil- 
lion a year ago. SCO's core 
business, UnixWare products 
and services, was still prof- 
itable, though declining. 

"You can really think of our 
business in two separate buck- 
ets. There's the core business 
bucket and the litigation buck- 
et," said president and CEO 
Darl McBride during a confer- 
ence call. "The core business is 
► continued on page 15 
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Zend Launches PHP Runtime Platform 

Claims management tools clear major stumbling blocks in enterprise 



BY EDWARD J. CORREIA 

Proponents of PHP would 
rather forget that it once stood 
for "personal home page." Zend 
Technologies, which makes 
development and acceleration 
tools for PHP, says that while 
the technology has been avail- 
able for years, enterprise adop- 
tion has been somewhat less 
than universal. 

Hoping to spark wider inter- 
est, the company on Jan. 10 
launched Zend Platform, a 
PHP runtime and management 
suite it hopes will remove some 
of the obstacles to adoption suf- 
fered by the open-source 
scripting language. 

PHP is analogous to Java's 




The Zend platform will step up 
enterprise adoption of PHP, says 
Roussos. 



JSP and Microsoft's ASP, and 
can be embedded within 
HTML. "Our customers say 
that JSP is hard to use and 
slow," said Pamela Roussos, 
vice president of marketing at 
Zend. "And as for ASP users, 
people that decide to go with 
Microsoft use it all the way up 
and down the stack." 

In beta since last July and 
unveiled to early-release cus- 
tomers in October, Zend Plat- 
form is built around Zend Cen- 
tral, a tool that monitors PHP 
applications to provide develop- 
ers and operators with runtime 
intelligence. "And if anomalies 
happen — if a script takes longer 
than usual to run [for exam- 
ple] — you'll see a stop light," 
Roussos said. Developers can 
drill into those signals to help 
reproduce errors and to debug 
apps by viewing stack traces and 
environmental variables. "Errors 
in production are hardly ever 
reproducible by developers [oth- 
erwise]," she asserted. 

Errors also can be linked 
right to the offending code, she 
said; the tool is integrated with 
an updated version of Zend Stu- 
dio, the company's PHP devel- 
opment environment. "Context 
is also provided," such as the 
source database and browser 
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New tools from Zend simplify recreation of errors and show offending code. 



type and version being used 
when the anomaly occurred, 
Roussos added. PHP Central 
also lets developers see where 
deployed applications are 
spending time. "This ties the 
[PHP] developer in with pro- 
duction for the first time. No 
more throwing code over the 
wall into production." 

Now subscription-priced, 
annual cost is US$995 per sin- 



gle-processor server or $1,495 
per server with two or more 
processors; the software in- 
cludes Zend Performance Suite 
acceleration tools, which previ- 
ously cost about $2,500 to get 
started, she said. 

BRIDGING JAVA 

Also new is Java Rridge, a Java 
proxy service that Roussos 
claimed improves application 



performance and reliability 
when PHP front-end apps link 
with Java back ends. "Every time 
PHP calls Java, a separate Java 
Virtual Machine is executed. 
With Java Bridge, one JVM is 
launched to handle all traffic," 
resulting in far less memory uti- 
lization and fewer memory leaks, 
she said. "Applications that hog 
memory tend to slow down or 
even crash other applications. 
This eliminates that problem." 

The platform also includes 
Configuration Control, a central 
management console for compa- 
nies deploying a number of PHP 
servers within the enterprise. 

New and still sold separately 
is Zend Studio 4.0, which takes a 
$50 bump to $299. Roussos said 
the most significant new feature 
is built-in SQL support, which 
she claimed greatly simplifies 
development when building 
data-driven apps. "Typically 
developers would use two sepa- 
rate tools to do code and data- 
base access. Now you can build 
an application completely within 
Zend Studio and create and 
change database schemas. The 
environment generates all neces- 
sary code for joins or whatever 
database function you're doing." 
All major databases are support- 
ed, she added. I 



Process, Best Practices Are Best Defense 

Government task force recommends ways to improve software security 



BY DAVID RUBINSTEIN 

Education and training of soft- 
ware developers, as well as cre- 
ating and sharing best practices 
for improving quality, are among 
recommendations made last 
month by the U.S. government- 
sponsored Security Across the 
Software Development Life- 
cycle task force for creating 
more secure applications. 

The task force split into sub- 
groups that reflect the issues 
involved, according to co-chair 
Ron Moritz of Computer Asso- 
ciates. In its executive summary, 
the task force said security is a 
research and education issue for 
universities, and involves skills, 
processes and testing for devel- 
opers, requirements for soft- 
ware customers, and a patching 
issue for IT administrators. 

"One of the key recommen- 
dations is to look at how we 
train engineers, and re-educat- 



ing longtime practitioners," 
Moritz said. 

According to the summary, 
the education subgroup recom- 
mends that "software become a 
core component of software 
development programs at the 
university level with sufficient 
resources to build the academic 
capacity to improve secure soft- 
ware development." 

The group also recommends 
a certificate program for securi- 
ty professionals and supports 
creating software centers of 
excellence. Moritz added that 
one of the goals would be the 
funding of academic chairs at 
select universities in the area of 
secure software development. 

Moritz said the group also 
advocates academic research 
into language design. 

"The last major language 
introduced was Java," said 
Moritz; the language was official- 



ly announced in May 1995. "It 
was an improvement over C++ 
in terms of security issues. But 
now, no faculty is researching 
software languages. Could a lan- 
guage be written that would 
ensure secure code?" 

One subgroup urges the 
establishment of a security verifi- 
cation and validation program to 
evaluate different software 
development processes and 
practices for effectiveness in 
producing secure software. 

A patching subgroup worked 
to define ways to make the 
process of patching simple and 
reliable, Moritz said. It devel- 
oped guiding principles for patch 
management and recommended 
the adoption of a "top ten list" of 
best practices. 

Another important area, 
according to Moritz, was finding 
ways to motivate developers to 
create more secure software, as 



well as disincentives for criminal 
and malicious behavior. "Prob- 
lems come from execvitives 
pushing tilings into the market to 
provide a new service or product 
to stay ahead of the competi- 
tion," Moritz said. The incen- 
tives subgroup recommended 
making the security of software 
one measure of a developer's job 
performance. 

Moritz pointed out that the 
work of tire task force is only a 
recommendation, adding, "I 
don't think any of us think man- 
dates are required or should be 
pursued." 

The National Cyber Security 
Division of the U.S. Department 
of Homeland Security could 
simply advise purchasing agents, 
CIOs and programmers to begin 
to implement the recommenda- 
tions. He did say the department 
could stop doing business with 
vendors that fail to show that 




Programmers may need incentives 
to create more secure software, 
says CA's Moritz. 

they've implemented the recom- 
mendations to write secure code. 
With the departures of Tom 
Ridge as secretary of the Home- 
land Security Department and 
Amit Yoran as head of the 
National Cyber Security Divi- 
sion, Moritz admitted the initia- 
tive has momentarily stalled. 
But he added that similar initia- 
tives to create and ensure secure 
software already are under way 
in the industry. I 
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Instant Messaging in the Enterprise 

How developers are using IM APIs to interface with back-end systems 



BY EDWARD J. CORREIA 

As football great Vince Lombar- 
di once said, "There's no I in 
team." But there's certainly one 
in IM. Instant messaging is being 
used increasingly by enterprise 
teams — authorized or not — as a 
means to communicate and col- 
laborate in real time. 

Indeed, it might surprise IT 
administrators to learn that 85 
percent of U.S. enterprises 
today use the technology, 
according to a study published 
by tech research firm Radicati 
Group in June 2004. 

Along with the rise of free 
services such as AOL's Instant 
Messenger, Microsoft's MSN 
and Yahoo Messenger — which 
by their nature track and dis- 
play a user's status through PC 
activity — have come tools to 
allow developers to tap into 
what software vendors are call- 
ing "presence information" 
and integrate it within their 
applications. 

"Instant messaging has 
become the lifeblood of the 
trading floor," said Furqan 
Nazeeri, CEO of Pivot Solu- 
tions, a Boston-based ISV that 
develops IM-based solutions 
for the securities trading indus- 
try. "The problem is that IM 
networks are disconnected 
from enterprise systems." 




Be sure your vendor has signed deals with IM network providers or your 
application could stop working, advises Singlefin's Jacoby. 



To bridge the gap, Pivot 
develops and markets IMTradei; 
a tool that Nazeeri said replaces 
publicly available IM clients with 
one that integrates IM networks 
with the trading networks of bro- 
kers. "IMTrader allows you to 
vise IM as a front end for access- 
ing financial [information from] a 
broker's system," and conducting 
trades through an IM window. 

He said that from its most 
practical standpoint, IMTrader 
is useful simply by helping to 
eliminate trading errors. "Over 
the phone, 'Buy 50,000 IBM' 
sounds a lot like 'Buy 50,000 
IPN.' There are classes of errors 
that get reduced by having 
tilings typed out and integrated 
without rekeying." He claimed 
that several customers using the 



tool now handle 90 percent or 
more of orders electronically. 
"Before, everything was over the 
phone." 

Underlying IMTrader is the 
I M Linkage middleware and 
API from IMlogic. IMLinkage, 
delivered as plug-ins to Visual 
Studio or Eclipse, intercepts 
IM traffic and provides an API 
that according to CEO Francis 
deSouza, blends APIs of the 
disparate IM networks. "All the 
IM clients have the notion of 
idle, but might use different 
words" to indicate that condi- 
tion, such as idle or away. "We 
provide a single, consistent and 
unified way to integrate your 
applications with the different 
IM networks." 

The IMLinkage tools also are 



being used at Thompson Finan- 
cial to enhance an existing appli- 
cation that lists which traders are 
registered to do a particular 
trade, deSouza said. "We're 
working with them to build pres- 
ence into that so you can see not 
only who [has] registered inter- 
est for the trade, but also if they 
are present. As a trader, that's 
valuable because instead of call- 
ing all the people on the list, you 
can focus on the people that are 
available right now." 

IMlogic and others like it 
also introduce the concept of 
virtual buddies, software-based 
automatons that can reside in 
a user's buddy list and respond 
automatically to stimulus. Com- 
peting with IMlogic is Akonix 
Systems, which develops L7 
Builder, a server, API and 
libraries for Java and .NET that 
let developers create virtual 
buddies and the back-end logic 
that gives them functionality. 

Francis Costello, chief mar- 
keting officer at Akonix, said his 
company developed an automa- 
ton for directory lookups. "It 
responds to my IM queries by 
accessing the data and feeding 
it back to me within that IM 
window as if it were a person 
looking stuff up in the directo- 
ry," he said, adding that such 
applications can perform far 



Its Dullsville at Java Tools Community Party 



BY YVONNE L. LEE 

The Java Tools Community may 
not be a party where no one 
came, but it appears to be a par- 
ty where guests showed up, but 
nobody talked and not much 
happened. 

Sun announced the commu- 
nity in January 2004 to make the 
Java platfonn more amenable to 
tools. It created a separate Web 
site to gain insight from those 
who use tools, as well as for the 
various tool makers to interact. 
The results of that interaction 
and insight would be used to cre- 
ate new Java Specification Re- 
quests for the Java Community 
Process. To date, no JSRs have 
emerged from the JTC, said Sun 
spokesman Tom Baker. 

One way the JTC may get 
off the ground is by moving its 
site to more established Java 
communities. Instead of con- 
tinuing to maintain its own 



javatools.org site, later this 
month the group plans to move 
into Sun's java.net site, accord- 
ing to Ted Farrell, architect and 
director of strategy for applica- 
tion development tools at Ora- 
cle, which was a founding 
member of the JTC. 

"We as vendors are always 
talking to each other and trying 
to spark JSRs," he said. "Java 
Tools Community is supposed 
to help. It hasn't got its feet on 
the ground yet." 

WIDER SUPPORT 

The JTC received a measure of 
legitimacy last spring when 
Borland, which had been unde- 
cided about whether to join the 
group, hopped on board. Bor- 
land's senior product manager 
for Java solutions, Axel Kratel, 
said he did not know when his 
company joined the organiza- 
tion, but that it joined to exert 



pressure on the Java process 
concerning Java tools. 

"There hasn't been a lot of 
things coming out of the JTC. 
That has been a bit disappoint- 
ing," he said. "Most of the influ- 
ence we've been exerting has 
been through the JCP" 

Borland's JBuilder was the 
second most popular IDE among 
enterprise developers in a study 
conducted by BZ Research in 
November 2004. BZ Research is 
a division of BZ Media, publisher 
of SD Times. 

The Eclipse Foundation, 
which according to the study has 
the most popular IDE, is not a 
part of the JTC, nor is IBM. Ini- 
tially, some outside observers saw 
the JTC as a competitor to the 
Eclipse Foundation, but Kratel 
said that Borland does not 
believe that to be the case. 

"I would be highly skeptical 
if anything that came out of this 



would actually combat Eclipse," 
he said. "I also don't view it 
as a competing initiative." 

Two areas where Kratel 
hopes that the JTC will exert 
more influence are giving Java 
tools a standard way to accept 
and represent components, and 
a similar common way to gener- 
ate deployment specifications 
for various applications 

"You should be able to drop 
a third party component in any 
IDE and the IDE would know 
how to represent that compo- 
nent," he said. 

So Kratel is hoping the JTC 
"party" will supply him with the 
connections to make that hap- 
pen. In the meantime, he isn't 
being a wallflower. "Right now, 
we have no choice but to just do 
a proprietary implementation of 
how components get handled," 
he said. 

Let the matchmaking begin. I 



more complex tasks. 

One such task was described 
by deSouza, who said he was 
perplexed when approached by 
a major hospitality chain that 
was looking to create a branded 
IM presence for booking hotel 
rooms. "We said, 'You can do all 
that on a Web site. Why do it on 
IM?' Their interesting response 
was, 'When our customers got 
fax machines, we needed a fax 
interface. When they got e-mail 
and Web, we needed e-mail and 
Web. Now our clients are on 
IM, so we need to open up an 
IM storefront.'" 

A still more complex exam- 
ple was offered by Pivot's 
Nazeeri, who claimed that 
developers use IMTrader to 
monitor IM exchanges between 
money managers and brokers, 
for example, and perform 
actions based on key phrases 
passing between them. 

"The broker might say that 
Cisco is going to be moving 
on pre-open news, and you say, 
'Great, b50k cisco,'" said 
Nazeeri. "IMTrader would un- 
derstand that as a trade and 
would step in and offer a chal- 
lenge response to the buy side, 
send it to the broker's trading sys- 
tem, and send back an acknowl- 
edgement. It's a virtual buddy on 
top of an existing communica- 
tion. We call that a bionic buddy." 

There are some serious 
downsides to tying enterprise 
applications to public networks, 
the most obvious of which is 
security. Both Akonix and 
IMlogic offer optional logging, 
filtering and other measures to 
stop or limit unwanted traffic. 

Another possible pitfall is 
protocol switching, which 
according to Jake Jacoby, CEO 
of managed protection services 
company Singlefin, occurs with 
some regularity among the pub- 
he network providers. "Unless 
you sign a deal with AOL, MSN 
and Yahoo, they make it diffi- 
cult; they're big players and 
they own the space," and change 
their protocols to prevent unli- 
censed ISVs like multiprotocol 
client developer Trillian from 
gaining a foothold illegally. 
Akonix and IMlogic have such 
deals. "So if they change their 
protocols, you could put a lot of 
development into a really cool 
app and find that suddenly it no 
longer works." I 
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Clustering in Orbix 6.2 Gangs Up on Security 



BY EDWARD J. CORREIA 

Iona Technologies in Decem- 
ber increased the high-avail- 
ability features and security of 
Orbix 6.2, the company's enter- 
prise object request broker. 
The new version is free to 



maintenance customers and is 
binary-compatible with the pre- 
vious version, 6.1. 

Central to the new version, 
according to Neil Kenealy, Iona s 
senior product manager for 
CORBA products, is the Securi- 



ty Service, which he said now 
supports security clustering 
under a common security infra- 
structure for both Orbix and 
Artix, the company's enterprise 
service bus. "The advantages of 
this are high availability — it can 



failover to an alternate security 
service — and it allows you to 
load-balance by spreading the 
load over a number of servers." 
While some high-availability 
features have been available in 
Orbix for years, Kenealy said 
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the product lacked automatic 
failover. "When a slave [node] 
needed to be converted to a 
master, there had to be human 
intervention to promote a slave 
to master. Now with 6.2, a slave 
can be upgraded automatically." 

Security services also can 
now be federated, which gives 
developers the ability to offer 
single sign-on capability across 
multiple servers. "Users are 
often reluctant to put in their 
passwords [several] times. When 
you make security easier to use, 
your systems end up being more 
secure," Kenealy said. 

He claimed that applications 
do not need to change to take 
advantage of Orbix 6.2. 
"Changes involve setting a few 
switches in your setup, but no 
programmatic changes are nec- 
essary. You can plug it in with- 
out having to recompile." I 

New Systinet 
Server For 
WebSphere MQ 

BY JENNIFER DEJONG 

Systinet unveiled a new server 
for MOM last month. 

Systinet Server for IBM 
WebSphere MQ uses Web ser- 
vices to link applications and 
data to IBM's message-oriented 
middleware without writing 
code, said Dave Butler, Systinet's 
vice president of marketing. 

Systinet WebSphere MQ, 
which costs US$35,000 per serv- 
er processor, is aimed at users of 
Systinet Begistry a private Web 
services registry designed for 
enterprise use, he added. 

The software, which joins 
Systinet's similar servers for 
TIBCO BV and SonicMQ, sup- 
ports WS-Addressing, WS- 
Eventing, WS-BeliableMessag- 
ing and WS-Security. It offers an 
alternative to IBM's approach to 
accessing data in apps tied to 
WebSphere MQ, said Butler. 

While developers could use 
IBM's Web services develop- 
ment kit to accomplish the same 
task, doing so requires writing 
code for a Web services wrapper, 
he said. In addition, IBM's Web 
services development kit does 
not support WS-BeliableMessag- 
ing and WS-Eventing, he said. 

IBM did not dispute Butler's 
claims. "We're glad that Systinet 
bodi appreciates the foundation- 
al importance of WebSphere 
MQ in the SOA marketplace and 
endorses the standards we've co- 
written," said Bob Sutor, director 
of WebSphere software. I 
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Education on the 2005 Agenda 



BY ALAN ZEICHICK 

Warm up that training and trav- 
el budget — conference produc- 
ers, magazine publishers and 
major tools/platform vendors are 
all counting on you and your 
staff to attend a wide range of 
events in 2005. 

From topical conferences on 
aspect-oriented programming 
and software security, to plat- 
form-specific shows for Win- 
dows and Java, to vendor- 
focused events for specific user 
communities, there are many 
educational events and trade 
shows from which to choose. 

A broad listing of software 
development events for 2005 is 
available at www.bzmedia.com 
/calendar. However, some oi the 
most widely influential events 
are described below. 

The Java community's flag- 
ship event is Sun's JavaOne 
conference, June 27-30 in San 
Francisco. A smaller forum is 
TheServerSide Java Sympo- 
sium in Las Vegas from March 
3-5. 

.NET developers have a wide 
variety of educational events 
from which to choose, ranging 
from the broad Tech-Ed, sched- 
uled for June 5-10 in Orlando, 
Fla., and the more future-facing 
Professional Developers Con- 
ference, Sept. 13-16 in Los 
Angeles. 

Microsoft also plays a key 
role in Fawcette's VSLive 
events, Feb. 6-10 in San Fran- 
cisco and April 13-16 in Toronto. 

There are several confer- 
ences planned for the Linux 
community, including the 
OSDL Enterprise Linux 
Summit in the San Francisco 
Bay Area from Jan. 31-Feb. 2; 
the LinuxWorld Conference 
in Boston on Feb. 14-17; Linux 
on Wall Street in Manhattan 
on April 20; and O'Reilly's Open 
Source Convention in Port- 
land, Ore., from Aug. 1-5. There 
also will be a second Linux- 
World Conference in San 
Francisco from Aug. 8-11. 

NO MAC YET 

The Mac development commu- 
nity can't make its 2005 confer- 
ence plans yet, as dates haven't 
been announced for Apple's 
World Wide Developers 
Conference, generally held in 
the summer in San Francisco, 
or O'Belly's Mac OS X Confer- 
ence, usually in the fall in Sili- 
con Valley. The more consumer- 



focused Macworld Expo was 

in San Francisco on Jan. 10-14, 
and will appear in Boston on 
July 18-21. 

Several conferences serve 
the IBM developer community, 



ranging from the IBM Rational 
User Conference in Las Vegas 
from May 22-26; the SHARE 
conference in Anaheim from 
Feb. 27-March 4; IBM Part- 
nerWorld in Las Vegas from 



Feb. 27-March 2; Lotusphere 
in Orlando from Jan. 23-27; and 
IDUG, for DB2 users, in Den- 
ver from May 22-26. Dates for 
other IBM events, such as its 
developerWorks Live con- 



ference, haven't yet been 
announced. 

Other major platform-specif- 
ic events include Oracle Open- 
World, Sept. 18-22 in San 
Francisco; Intel Developer 
Forum, March 1-3 in San Fran- 
cisco; Novell BrainShare, 
March 20-25 in Salt Lake City; 
► continued on page 14 
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Sunopsis: Not Just ETL Anymore 

Claims to build better enterprise service bus r more open hub 



BY EDWARD J. CORREIA 

Sunopsis, which offered strictly 
ETL solutions since opening its 
doors in 1998, will embrace a 
variation of the enterprise ser- 
vice bus model as it broadens 
its line to include conventional 
integration tools. 

The company on Jan. 17 is 
set to release Sunopsis 4, which 
will combine an enhanced ver- 
sion of its visual extract-trans- 
form-load development envi- 
ronment with an enterprise 
data repository, integration 
hub, and data and service bus 
components. 

"As time went on, we real- 
ized that our clients were using 
our ETL technology for appli- 
cation integration," said Yves de 
Montcheuil, director of product 
marketing at Sunopsis. "That's 
what started us broadening the 
scope of our product." Starting 
price for the suite is US$35,000 




'V 



Integration is all about moving 
data, says Sunopsis' de Montcheuil. 

for Linux, Unix or Windows, 
and is based on project size and 
the number of developer seats. 
Central among the three 
new components is ActiveData, 
which de Montcheuil described 
as a real-time repository for all 
application data shared within 



the enterprise. "Every update 
to any application in a produc- 
tion application is propagated 
to the ActiveData hub and in 
turn to all applications that con- 
sume those updates." 

In addition, de Montcheuil 
said ActiveData reconciles and 
consolidates data between sys- 
tems. "Very often there is some 
overlap between several sys- 
tems. This is merging all the 
data together." Data is kept in 
sync through interfaces built by 
developers that push changes 
from individual apps to the hub, 
which also cleanses the data 
based on business rules. 

The use of an integration 
hub also simplifies EAI, de 
Montcheuil said. "With Active- 
Data, you build an interface 
between an application and the 
repository only once. If you add 
a new application, you only 
need to link it to the ActiveData 



hub, not to the other existing 
applications. This makes inte- 
gration of new and existing 
applications faster and easier." 

A messaging layer is provid- 
ed by DataBus, which de 
Montcheuil said functions simi- 
larly to the hub but without the 
persistence capability. "Instead, 
events and updates to data are 
sent from the source to target 
applications through a messag- 
ing middleware. Along the way, 
data is transformed and 
cleansed the same way" as in 
the hub, and updates are prop- 
agated directly to target apps. 

de Montcheuil also asserted 
that DataBus is unlike the aver- 
age ESB. "We still believe that 
the way to integrate applications 
is by moving data. And [while] 
that is part of what an enterprise 
service bus does, some also try to 
present more via business pro- 
cess modeling. Because whether 



BPEL Maestro Orchestrates Long-Term Processes 



BY YVONNE L. LEE 

Features that compensate for 
long-term applications that can 
spend weeks or months between 
initial query and ultimate re- 
sponse are at the core of Para- 
softs BPEL Maestro 1.5, a run- 
time engine and toolkit designed 
to help companies integrate 
applications and implement a 
service-oriented architecture. 

Although the software is 
numbered 1.5, Parasoft's Jim 
Clune said it is the first generally 
available release of the product. 

One of the key features nec- 
essary for long-running applica- 
tions is the ability to indicate 
the various processes' states. 

"Early Web services have 
been synchronous," said Clune. 
"The request and response 
occurred on the same connec- 
tion. When you have a response 
that's coming back three weeks 
after the request, you can't have 
a network connection open that 
long." 

As a result, the messages 
sent by BPEL Maestro include 
information about state and the 
messages to which they need to 
connect, he explained. 

The program also accounts 
for the fact that long-running 
applications cannot maintain a 
constant connection between 
the computer making the origi- 



nal request and the server from 
which it needs a response. So 
instead of locking the resources 
and maintaining the connection, 
the software sets up a method of 
backing out of the transaction if 
it is interrupted and unable to 
recover, Clune said. 

In addition, because long- 
term transactions will have many 
instances of a given process, it 
will be necessary to move those 
processes out of memory and 
onto disk in a procedure Clune 
referred to as dehydration, then 
pulling the processes off disk 
when they are needed later, 
which Clune called rehydration. 
Clune acknowledged that mov- 
ing this information from mem- 
ory to disk and back would slow 
the application, but said the 
trade-off was that it would 
enable it to scale. 

"This does have performance 
implications," he said. "There's a 
trade-off that you get quicker 
response times [if you don't 
dehydrate], but if you dehy- 
drate, you can scale to a larger 
number of processes concur- 
rently. In a process that extends 
over weeks, the millisecond time 
scale performance issue is going 
to be less important than the 
concurrency issue." 

BPEL Maestro is priced per 
seat per user; a three-user 



license for a single server would 
cost US$20,000, according to 
the company. 

BPEL Maestro's accompa- 
nying Eclipse plug-in toolkit 
includes a multilevel BPEL 
process editor with three differ- 
ent views. The high-level view 
creates BPEL processes from 
UML Activity diagrams. A tree 
view is based on the document 
object model and a text editor 



with syntax highlighting. 

"These three views are inte- 
grated so you can move through 
the views fluidly," said Clune. 

The BPEL Maestro toolkit 
also includes a management por- 
tion for deploying and removing 
BPEL processes from the run- 
time engine, and a debugging 
component that is integrated 
with the Eclipse debugger and 
the high-level view. I 



you are moving large amounts of 
data or small updates and events, 
in the end it's about moving data 
from one application to another. 
We provide a more pragmatic 
approach than those that require 
redesigning business processes." 

Synchronous communication 
is provided by a third module, 
DataServices, which provides a 
mechanism for developers to 
expose data stores, databases and 
tables as services for internal use 
or for exchanges witii business 
partners. 

Enhancements to the ETL 
environment, according to de 
Montcheuil, are mainly aimed 
at team development, including 
version control, code check- 
in/check-out, and workflow and 
user interface improvements. 
When describing the unique 
way the tool works, de Mont- 
cheuil said it's more like an ELT 
because it does the extraction, 
then the loading, then the 
transformation, which happens 
on the target. "Instead of 
putting an ETL engine 
between sources and targets, 
Sunopsis performs all transfor- 
mations within the database 
that contains the data. That's an 
advantage because engines 
from Oracle, DB2 [and] SQL 
Server are more efficient to 
process data than proprietary 
ETL engines. And you don't 
have to deploy a separate 
engine, and you remove a big 
bottleneck." I 



COMPUTER PIONEER 
DAVID J. WHEELER DIES 



BY YVONNE L. LEE 

Long before there was object- 
oriented programming, David 
John Wheeler created the closed 
subroutine, which enabled seg- 
ments of code to be written inde- 
pendendy of the main applica- 
tion flow and called as needed. 

Wheeler, who also was in- 
volved with some of the earliest 
computers, such as the Univer- 
sity of Illinois' ILLIAC— the 
first computer to be wholly 
owned by an educational insti- 
tution — died Dec. 13 in Cam- 
bridge, England. He was 77. 

A native of Birmingham, 
England, Wheeler was an 
emeritus professor of computer 
science at the University of 



Cambridge when he died. He 
had received his Ph.D. in com- 
puter science there in 1951. 

At Cambridge, he worked on 
die original EDS AC, which was 
the first practical stored-pro- 
gram computer, and he wrote 
the first program ever to be 
stored in a computer's working 
memory. He also was known for 
his work on data compression. 

He was elected a Fellow of 
die British Computing Society in 
1970. In 1981, he was elected a 
fellow of die Boyal Society. He 
was awarded the Pioneer Medal 
of the IEEE in 1985, and in 2003 
was made a fellow of die Com- 
puter History Museum. 

"David will be remembered 




David J. Wheeler 

for his vast knowledge of all 
areas of computing, for his will- 
ingness to talk with anyone 
about the things which interest- 
ed him, for his friendliness and 
for his humility," said Andy 
Hopper, head of the computer 
laboratory at Cambridge, in a 
statement. "David was an inspi- 
ration and a help to hundreds of 
students and colleagues over 
his long career." I 
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Date: Wednesday, January 19 

Time: 10:00 a.m. Pacific 
(1:00 p.m. Eastern) 



DESCRIPTION: Devel opi ng and deploying software in the 21st century 
has taken on new levels of complexity and security risks. In this 
presentation, Gartner Group and CollabNet help you solve the four 
fundamental problems that inhibit project success and create secu- 
rity risks when developing software in distributed environments. 




Speaker: Dr. Gopinath Ganapathy 
Vice President, Engineering, Collab- 
Net Inc. 

Dr. Gopinath Ganapathy joined 
CollabNet in April 2003 as vice 
president of engineering when 
CollabNet acquired the assets of Enlite 
Networks Inc., an enterprise collaboration 
technology startup. Dr. Ganapathy was previous- 
ly the founder and CEO of Enlite Networks Inc. 
and has nearly 20 years of technology, soft- 
ware, and executive management experience in 
the electronics industry. Dr. Ganapathy started 
Enlite Networks after leaving Cadence Design 
Systems, where he was a vice president of 
marketing for the Verilog product line. 




Speaker: Theresa Lanowitz 
Research Director, Gartner Inc. 

Theresa Lanowitz joined Gartner in 
July 1999 where she is a member of 
the Research and Advisory Services 
organization specializing in soft- 
ware quality assurance and mobile application 
development. Prior to joining Gartner Group, 
Ms. Lanowitz held the position of marketing 
strategist for Sun Microsystems Inc.'s Jini pro- 
ject. She also headed the marketing department 
of the Internet products division at Borland 
International where she was responsible for the 
introduction of the JBuilder Java IDE and 
Borland C++. 



f Moderator: David Rubinstein 
Editor, SD Times 
David Rubinstein brings more 
than 25 years of newspaper 
experience to his role as 
editor of SD Times. He has 
covered a wide range of software develop- 
ment issues, including collaboration, 
change and configuration management and 
software testing, in his five years at 
the helm, and writes a regular column 
that examines the development industry 
as a whole. 
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DESCRIPTION: 

Learn how to implement successful strategies to 
automate the detection and removal of software 
security vulnerabilities early in the develop- 
ment life cycle. Throughout this presentation, 
practical techniques for improving security in 
both new and existing software systems will be 
demonstrated. Attendees will view a case study 
showing examples of real security vulnerabili- 
ties found in open-source software using auto- 
mated static analysis technology. In addition 
to automating the detection of security 
defects, the presentation will address security 
in the context of the software's design and ar- 
chitecture. 



Speaker: Djenana Campara 
. Chief Technology Officer, Klocwork 

"** Djenana Campara founded Klocwork in 
^* 2001 after successfully spinning it 
^ out of Nortel Networks and establish- 
ing it as an independent company. Ms. Campara 
brings 19 years of software experience to the 
role of CTO at Klocwork, and has been awarded 
four U.S. patents for her groundbreaking software 
development work in creating Klocwork inSight. 
Ms. Campara co-chairs the Object Management 
Group (OMG) Architecture-Driven Modernization 
Task Force, and serves as a board member on 
the Canadian Consortium of Software Engineering 
Research (CSER). She has published several papers 
and has been quoted in numerous publications. 
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Editor, SD Times 

David Rubinstein brings more 
than 25 years of newspaper 
experience to his role as 
editor of SD Times. He has covered a 
wide range of software development 
issues, including collaboration, change 
and configuration management and software 
testing, in his five years at the helm, 
and writes a regular column that examines 
the development industry as a whole. 
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Traceability Matrix, Policy Engine New to Speedev 



BY DAVID RUBINSTEIN 

Speedev last month launched 
version 4.0 of its software life- 
cycle management solutions 
with a new business policy 
engine and traceability matrix, 
among other features. 

Speedev, sold in requirement, 
issue and life-cycle management 
packages, offers a single database 
in which an enterprise's require- 
ments, design, use and test cases 
and defect-tracking can be 
stored, and integrates with such 
products as Microsoft's Visual 
SourceSafe and Project, Mer- 
cury's Test Director and with 
CRM applications, according to 
Sandeep Tiwari, vice president of 
sales and marketing. 

Version 3.8 of Speedev had a 
rules engine, while the policy 
engine is more powerful, said 
Tiwari. "When a person says a 
requirement is completed, or a 
use case created, the policy 
engine will watch for that. Then, 
it will automatically create a task 
for the next person to create a 
test plan around that use case." 
The policy engine also can be 
used to deliver notifications to 
project stakeholders, he added. 

VIEWING RELATIONSHIPS 

The traceability matrix allows 
users to see all the entities in a 
system and all the interrelation- 
ships between those entities, 
Tiwari explained, citing three 
kinds of interrelationships — 
affecting, in which a user's 
changes impact other entities; 
depending, in which changes to 
other entities impact the user's 
work; and bidirectional, in 
which changes to entities impact 
each other. The drag-and-drop 
matrix enables users to create 
relationships, he said. 

Version 4.0 also has an updat- 
ed graphical workflow designer, 
which introduces automated 
escalation and synchronization 
nodes, Tiwari said. The escala- 
tion node automates the process 
of taking a different course of 
action if certain aspects of a pro- 
ject haven't happened in the 
correct amount of time, while 
the synchronization node has a 
rule to see if all the code needed 
for a requirement or specifica- 
tion has been checked in, so a 
build can be run. 

"You don't have to walk 
around to see who's done," Tiwari 
noted. The designer also is 
important for companies that are 
following the Capability Maturity 
Model or industry regulations 



such as HIPAA or Sarbanes- 
Oxley to lay out their process 
for compliance purposes. 

The user interface also has 
been overhauled with the ability 
to customize forms for managing 
such features as requirements, 



use cases, test plans, architec- 
ture, defects, change requests 
and help desk issues, he said. 

Speedev RM and Speedev 
IM cost US$6,800 for a five-user 
pack; the enterprise edition of 
both adds the workflow designer 



and costs $3,880 for one admin- 
istrator and $1,400 per standard 
user, Tiwari said. Speedev LM, 
which combines issues and re- 
quirements management, costs 
$8,000 for a five-user pack, while 
Speedev LME, the top-of-the- 



line enterprise edition that 
includes "everything we make," 
Tiwari said, costs $5,880 for one 
administrator and $1,800 for 
each standard user. A subscrip- 
tion option also is available, 
Tiwari said. I 
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, NEW PRODUCTS , 



The Ukrainian firm CS Odessa is offering LeadingProject 1.0, a project 
management tool for Mac OS X and Windows. The US$249 software 
lets projects share resources, and allows one project to be embedded 
into another, synchronizing changes while preserving dependencies. 
LeadingProject can read and write Microsoft Project XML files . . . 
Accelerated Technology is offering Nucleus SIM for Universal Serial 
Bus, which lets embedded developers build USB-enabled devices 
Acf"pipfQrPd using the Nucleus SIMdx prototyping environ- 
inolorjY ment. SIMdx starts at US$4,995 per seat; the 
SIM for USB software is another $995 . . . Anti- 
spyware tools provider Aluria is offering a new Aluria Software Devel- 
opment Kit to help enterprise developers and ISVs embed anti-spy- 
ware features into their applications. The C++-based SDK includes 
both spyware detection and removal functions. 



, UPGRADES , 



Language Analysis Systems is offering version 1.1 of NameParser, a 
server application designed to correctly interpret international prop- 
er names. The latest version of the application, which runs on Linux, 
Solaris and Windows, has improved features for managing first and 
last names. NameParser has Java, C++ and SOAP APIs . . . Perfor- 
mance Solutions Technology has updated its ManagePro project 
management software. Version 6.7 gives managers one-click visibili- 
ty into their employees' to-do lists, appointments and activity priori- 
ties. It also makes it easier to see who is leading or responsible for 
specific tasks, and improves the accuracy of "percent complete" 
tracking for projects ... In mid-January, AutomatedQA is increasing 
the price of TestComplete Enterprise from US$599.99 to $799.99. 
The software handles unit, functional, regression, distributed and 
HTTP performance testing; the enterprise edition includes a test 
recorder and command-line execution utility . . . Captaris has updat- 
ed and renamed Teamplate for .NET, a business process workflow 
management system. Now called Workflow, version j^_. 
5.0 can integrate with Microsoft's SharePoint por- | 
tals and user interface. It also includes new templates, and lets devel- 
opers develop and debug workflow using Visual Basic or C# inside 
Visual Studio .NET . . . The Eclipse Foundation has released version 
3.2 of its Test & Performance Tools Platform. This update enhances 
data communications, has better statistical analysis representation 
and simplifies test deployments. Eclipse also announced that Com- 
puter Associates, which has just joined the consortium, will be donat- 
ing code to the TPTP project . . . BEA has upgraded its family of 
Tuxedo Mainframe Adapters. The new adapters now support appli- 
cations built on IMS 8.1 and CICS 2.3 . . . VersionOne has announced 
the fifth release of its eponymous agile project management tools. 
The new release of VersionOne can work 
with Extreme Programming, Scrum, 
DSDM and now, the Agile UP methodology . . . Version 2.2 of 
JNBridgePro, a Java/.NET interoperability tool from JNBridge, now 
supports callbacks, including events and delegates, in Java-to-.NET 
projects. It also now can handle pass-by-value objects and direct- 
mapped collections, and offers more automated conversions between 
objects, including date, time and extended precision values . . . Red 
Gate Software had updated its SQL Bundle Developer Edition, a set 
of tools for administering, developing and distributing SOL Server 
databases. New to the suite is a command-line facility for automating 
the tasks of comparing, synchronizing and packaging databases, as 
well as a new compression option. The bundle costs US$990, or 
$1,237 with 12 months of support and upgrades. 



V VERSIONONE 



PEOPLE 



FileMaker, which offers database software for Mac OS X 
and Windows, has hired Simon Thornhill as VP of engi- 
neering. Thornhill had been a well-known spokesman for 
Borland, serving as VP and general manager for the .NET 
tools group, and then in a similar role for Borland's RAD 
tools group. I 
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LinuxWorld Follows 
Migration to Boston 




BY EDWARD J. CORREIA 

Will 2005 be the year of Linux 
on the desktop? This perennial 
question is among the course 
titles of Client Side Linux, one 
of eight conference tracks at 
this year's LinuxWorld Confer- 
ence & Expo, to be held Feb. 
14-17 at the Hynes Convention 
Center in Boston, the first time 
the show will be held there. 

Housed for years at New 
York's Jacob K. Javits Conven- 
tion Center, the LinuxWorld 
Conference was drawn to 
Boston along with several open- 
source heavy-hitters, including 
Novell, now headquartered in 
Waltham, Mass., and Bed Hat, 
which last year moved its devel- 
opment center to Boston. 

"Boston is becoming a hub 
for Linux and open-source 
development," said Mike Spon- 
seller, a spokesman for confer- 
ence organizer IDG World 



Expo, adding that the number 
of registered exhibitors already 
has exceeded the 153 exhibitors 
at last year's event in New York. 
Sponseller said that organizers 
expect to draw attendance from 
academia in the vicinity, includ- 
ing Harvard and MIT, and from 
the community surrounding the 
Free Software Foundation, 
based in nearby Cambridge, 
Mass. IDG also will drive atten- 
dance at the new venue, Spon- 
seller said, by offering free 
online exhibit registration until 
the first day of the conference; 
the cost is US$35 afterward. 

Novell CEO Jack Messman 
will deliver the opening keynote, 
"Identity and Information," 
which will center around how 
companies can develop and 
extend identity services to 
include a broad array of business 
assets, including open-source 
platforms and applications. I 



CONFERENCE: Feb. 14-17 
Hynes Convention Center, Boston 

TUTORIALS: 
Monday, 9 a.m. -4 p.m. 

HANDS-ON LABS: 
Monday, 9 a.m. -4 p.m. 

EXHIBITS: 

Tuesday, 10 a.m.-5 p.m. 
Wednesday, 10 a.m. -5 p.m. 
Thursday, 10 a.m.-4 p.m. 

KEYNOTES: 

Tuesday: 9:15 a.m.-IO a.m., "Identity 

and Information," Jack Messman 

11:45 a.m.-12:30 p.m., "Making Open 
Source Work for You," Martin Fink 

2:45 p.m.-3:30 p.m., "Open Source 
Transformations," John Swainson 
Wednesday: 11 a.m.-11:45 a.m., "The 
Future of the Internet and Open 
Technology," John Patrick 

2:30 p.m.-3:15 p.m., "Fear and 
Loathing in LinuxWorld: 
Commoditization, Commercialization 
and the Customer," Martin Mickos 

GOLDEN PENGUIN BOWL: 
Tuesday, 4:30 p.m.-5:30 p.m. 
www.linuxworldexpo.com 



Web Services Edge Looks Sharper 

Show expected to rebound from Iraq war slump 



BY YVONNE L. LEE 

At least 37 percent 
more attendees will 
be roaming the halls 
of Boston's Hynes 
Convention Center 
Feb. 15-17 for Web 
Services Edge 2005 
East than went to last 
year's conference, and 
those attendees will 
get the added benefit 
of being able to attend the 
LinuxWorld Expo being held 
at the same site. 

"We haven't had the best 
luck because last year, it was 
the first day of the war [in 
Iraq]. It had an influence on 
the show," said Jim Hanchrow, 
the conference's national sales 
manager. This year, however, 
Hanchrow said registration is 
up and he expects anywhere 
from 2,800 to 3,000 attendees. 

"It's been a show that has 
been successful despite world 
factors," he said. 

The conference, produced 
by SYS-CON Media, is geared 
primarily toward software devel- 
opers, engineers and architects, 
with an increasing number of 
project managers and upper 



k 



eBay's Matt Ackley, Microsoft's Ari Bixhorn, and Mike 
Milinkovich, the Eclipse Foundation's president, from left, 
will give the keynote addresses at the conference. 

management staff attending, 
according to Hanchrow. 

This year, the conference 
will be on the first floor of the 
convention center, while Linux- 
World will be on the third, he 
said. The badges from either 
show will be good for admission 






to the exhibit floor of 
the other. 

The conference 
tutorials also are 
expanded with two 
new tracks: one of 
case studies and the 
other focusing on 
Web services security. 
The other tutori- 
als are in a Java track 
and a .NET track. 
Matt Ackley, senior director 
of eBay's developer program; 
Ari Bixhorn, director for 
Microsoft's Web services strate- 
gy; and Mike Milinkovich, 
president of the Eclipse Found- 
ation, will give the show's 
keynote addresses. I 
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CONFERENCE: Feb. 15-17 


KEYNOTES: 


Hynes Convention Center, Boston 


Tuesday, 11 a.m., "Web Services for 




eCommerce," Matt Ackley 


TUTORIALS: 


Wednesday, 11 a.m., "Introducing In- 


Tuesday, 8 a.m.-5 p.m. 
Wednesday, 8 a.m. -6 p.m. 


digo: The Unified Programming Mod- 
el," Ari Bixhorn 


Thursday, 8 a.m.-6 p.m. 






Thursday, 11 a.m., "An Open Devel- 


EXHIBITS: 


opment Platform for Web Services," 


Tuesday, 12 p.m.-5 p.m. 


Mike Milinkovich 


Wednesday, 12 p.m. -4 p.m. 


sys-con.com/edge2005east 


Thursday, 12 p.m.-4 p.m. 
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Tester Builds Scripts From Requirements 



BY YVONNE L. LEE 

Advanced Quality Assurance 
Solutions has introduced a prod- 
uct designed to create scripts 
from high-level requirements. 

The tool, called System Veri- 
fication and Test (SVaT), tests 



the functionality of applications SVaT includes a verification ality graphically in a flowchart- can be executed manually 



to see whether diey operate as 
they are intended. Managing 
director Jan Madsen claimed the 
tool has been proven to be effec- 
tive in graphical user interface 
tests. 



designer to design the tests, a 
toolbox designer to build com- 
mands, and a test performer, 
which runs sample tests. 

To build test scripts, testers 
specify the expected function- 



like interface and then the 
application generates code that 
can be integrated with the test 
automatic testing tools. This 
design can then be translated 
into a set of test scripts that 



Extraordinary data 

deserves 

extraordinary charting. 
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by an automated test tool. 

The £475 personal edition 
stores tests in a Microsoft Access 
database. A £950 professional 
edition also enables the test 
scripts to be stored in an Oracle 
database. In addition, the profes- 
sional edition has a plug-in that 
lets managers apply change 
requests to scripts and temporar- 
ily disable certain commands in 
future iterations of a test. 

An enterprise edition with 
collaboration features is in the 
works, according to Madsen. I 

2005 
EDUCATION 

* continued from page 7 
and Red Hat Summit, June 
1-3 in New Orleans. The dates 
for many other vendor confer- 
ences, such as BEA eWorld, 
the Borland Conference and 
CA World, have not yet been 
announced. 

The test community has 
a number of events, including 
three from Software Quality 
Engineering: Star East, 
May 16-20 in Orlando; Star 
West, Nov. 14-18 in Anaheim; 
and Better Software Confer- 
ence, Sept. 19-22 in San Fran- 
cisco. BZ Media (publisher of 
SD Times) will produce the 
Software Test & Perfor- 
mance Conference the sec- 
ond half of 2005; the location 
has not yet been announced. 

New from BZ Media is the 
Software Security Summit, 
April 12-14 in San Diego. Other 
events from publishers include 
CMP Media's Software Devel- 
opment Conference, March 
14-18 in Santa Clara, and SD 
Best Practices in Boston, from 
Sept. 26-29, and also SYS- 
CON's Web Services Edge 
East, Feb. 15-17 in Boston. 
SYS-CON hasn't announced its 
West Coast dates yet. 

The list above only scratches 
the tip of the educational and 
trade-show iceberg; there 
are additional events for 
embedded developers, users of 
ERP and CBM packages, and 
users of specific languages and 
methodologies, as well as 
events catering specifically to 
ISV/OEM, academic, govern- 
ment and other interests. No 
matter how you slice it, though, 
there's plenty of opportunity for 
development education. I 
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Pantero 1.2 Gets Semantic Integration 



BY EDWARD J. CORREIA 

About 1 in 4 integration dollars 
is spent on data validation, 
according to integration tools 
builder Pantero. Aiming to cap- 
italize on that ratio, the compa- 
ny in December released Pan- 

SCO POSTS 
YEARLY LOSS 

< continued from page 1 

cash-flow positive." 

During the fourth quarter of 
2003, SCO gained just over 
S10.3 million from SCOsource 
revenue, contributing to $25.8 
million for that year. SCOsource 
is SCO's scheme under which it 
sells a Unix license to Linux 
users and agrees not to sue them. 

Last year, customers weren't 
buying it. The $10.3 million 
from the 2003 quarter had trick- 
led to $120,000 in the quarter 
that ended Oct. 31, 2004. 

In addition, the cost of SCO- 
source licensing revenue more 
than doubled for the year, from 
$9.2 million in 2003 to $19.7 mil- 
lion in 2004. 

McBride said he remained 
confident that his company 
would reap financial gains from 
SCOsource following the con- 
clusion of its lawsuits. "We've 
always believed in the merits of 
our claim," he said. 

While the SCOsource busi- 
ness leaked cash, the Unix busi- 
ness was profitable. 

"Nearly all of our quarterly 
revenue of [$]10.1 million came 
from our Unix business," said 
CFO Bert Young. 

Product and service revenue 
totaled almost $10 million in the 
fourth quarter of 2004, down 
from almost $14 million for the 
fourth quarter of 2003. Product 
revenue was $8.3 million, with 
service revenue coming in at 
$1.7 million. For the year, prod- 
uct and service revenue dropped 
21 percent to $42 million from 
$53.4 million. 

Total revenue for the quar- 
ter dropped from US$24 mil- 
lion to $10 million. 

The weekend before SCO 
announced its earnings in 
December, its largest investor, 
Canopy Group, fired its chief 
executive Ralph Yarro and chief 
financial officer Darcy Mott. 
William Mustard, who had 
been a consultant at New York- 
based Smooth Engine, has 
replaced Yarro as CEO. I 



tero 1.2, an update to its add-on 
to BEAs WebLogic Workshop 
that introduces Expression 
Builder, with a claim that the 
visual environment allows 
developers to map data sources 
and create rules for data shared 



among applications without 
writing code. The new version 
also extends beyond BEA, and 
works with IBM's development 
tools for WebSphere. 

Pantero 1.2, which typically 
costs about US$100,000 to 



deploy, also now includes seman- 
tic integration, a capability that 
according to Dennis Doughty, 
Pantero's vice president of engi- 
neering, allows developers to 
build connectors that automati- 
cally validate data as it flows and 



is transformed between matched 
fields of disparate applications. 
"It's all about performing calcu- 
lations in service of diat match- 
ing," he said. 

Pantero 1.2 also now can 
import UML models, which it 
converts into XML Schema, to 
help keep developers in sync 
with designers. I 
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W3C Works to Improve Web Interoperability 



■» continued from page 1 

specification; IBM's Noah Mendelsohn, 
co-author of SOAP 1.1; David Orchard 
of BEA; and Norm Walsh of Sun. 

The AWWW is an attempt to make 
sure future technologies interoperate 
with the existing Web, said Jacobs. 
"Sometimes people inadvertently design 
new Web technologies that don't inte- 
grate veiy well," he said. 

Most of the document focuses on 
Universal Besource Identifiers, or how 
items are represented and connected on 
the Web. 

"I think when I first came into this, I 



had understood the Web to be HTTP, are other transports," said Jacobs, have several benefits, particularly for 



HTML, UBI, and they were all about 
equal," said Jacobs. "Having worked 
more closely, I see that without UBIs, 
you don't have the Web. UBIs are what 
makes the Web the Web." 

UBIs represent every single image, 
file, piece of data or other item on the 
Web, as well as the full pages and appli- 
cations, he said. As the number of these 
items increases, the value of the Web 
increases, he said, alluding to Metcalfe's 
Law, which says that the value of a net- 
work is the square of the nodes. 

"HTTP is very important, but there 



"Then, you have things like HTML, 
which are even less important." 

The section on interaction deals with 
such issues as how to restrict access to 
items on the Web in a common way and 
what to do about broken links, he said. 

BINARY XML CHARACTERIZATION 

In a separate development, the W3C is 
exploring whether to create a standard- 
ized method for expressing XML data in 
a binary format. 

Most XML is transmitted as text files, 
but sending it in a binary format could 



Mainframes Integrate Via Web Services 



- continued from page 1 

Web," not with those of the mainframe, 
said Tom Bice, vice president of product 
marketing at WBQ, a Seattle-based com- 
pany that entered the mainframe integra- 
tion market in 1981. 

Early incarnations of Web services- 
based mainframe integration tools were 
low-level, a first step in moving away 
from tools based on proprietary tech- 
nologies, noted Bice. "You had to write 
the Web services wrapper yourself. But 
today, it is point and click," he said, 
referring to WBQ's VeraStream product 
line, which, in addition to Web services, 
generates .NET class libraries and 
Enterprise JavaBeans. "You simply iden- 
tify which [mainframe application] you 
want to provision as a Web service," 
added Neon's Cresswell, referring to the 
company's Shadow product line. 

Web services-enabled integration 
offerings, such as IBM's CICS Transac- 
tion Server for z/OS V3.1, due the first 
quarter of this year, are expected to 
modernize the mainframe, enabling it to 
act not just as a back-end data store, but 
also as a key player in service-oriented 
architectures, said IBM's Phil Hanson, 
CICS manager for applications and inte- 
gration. "The mainframe can function as 
both a consumer and a provider of Web 
services," he said. 



That makes it practical for companies 
to keep high-transaction systems such as 
those used in the banking and travel 
industries on the mainframe. For years, 
there has been talk of migrating such 
systems to smaller servers, which were 
presumed to be less expensive. "People 
get myopic when looking at the cost of 
Intel boxes, said WBQ's Bice. 

But when reality rears its head, the 
talk goes away. A company might need 
an entire farm of Intel servers in order 
to duplicate the mainframe's perfor- 
mance and capacity. What platform, 
other than the mainframe, can deliver 
"millions and millions of transactions 
with subsecond response time for 
50,000 users?" said Joe Gentry, vice 
president of enterprise transaction sys- 
tems for Software AG. 

The Darmstadt, Germany-based 
company, known for its XML server, 
Tamino, among other offerings, has sold 
mainframe software since 1971. Its 
Enterprise Legacy Integrator tool sim- 
plifies the process of exposing main- 
frame applications as Web services, 
Gentry said. 

The market for proprietary integration 
offerings has not disappeared. IBM and 
Neon did not specify how sales of Web 
services-based integration tools compare 
with those for tools based on proprietary 



Architect Certification 



4 continued from page 1 

undefined set of skills in the delivery of 
systems architectures in real-world situa- 
tions. Among those skills are com- 
munication, conflict resolution, architec- 
ture modeling techniques, and the ability 
to apply methodologies and elicit share- 
holder requirements, he said. 

While acknowledging that some com- 
panies already certify their own employ- 
ees, an industrywide effort is necessary 
because "there's no ability for organiza- 
tions that employ [software architects] to 
understand what an IBM-certified archi- 
tect means," de Baeve said as an example. 



"It's important that we establish criteria to 
achieve certification and create a process 
that's equivalent across multiple organiza- 
tions, so that eidier Citibank or Boeing 
can understand there's common ground, 
that it's the same across all providers." 

According to de Baeve, the organiza- 
tion, which he said already has built up a 
reputation for designing and administer- 
ing certification programs, would like to 
extend the scope of certification — perhaps 
to developers and managers. But he added 
that as a member-driven organization, The 
Open Group can support only what its 
members want to achieve. I 



technologies. But WBQ's Bice said Web 
services offerings represent only 15 per- 
cent of the company's business. 

While the Web services approach to 
integration is widely assumed to be less 
expensive, Neon's Cresswell acknowl- 
edged that the company's Web services- 
based integration tools don't cost less 
than those based on earlier technologies. 
"It's the cost of implementation that's 
cheaper," he said. "With Web services, 
the developer doesn't have to get 
involved in the glass house in order to 
take advantage of the mainframe." I 



mobile applications, said Liam Quin, 
XML activity lead for the W3C. 

Sending the information in binary 
format would reduce its size, since 
much redundant information would be 
removed, he said. This would transmit it 
more quickly, and it also would reduce 
the processor and memory require- 
ments for sending it, he said. 

"If you could reduce the CPU and 
memory overhead by a factor of 3 or 5, 
then your battery would last longer," he 
said. "Having a battery that lasts a month 
would excite people." 

Binary XML also could be useful for 
transmitting such files as scalable 
graphics or documents that enable 
users to jump immediately to specific 
locations. 

Nevertheless, it's not certain that 
the W3C will try to establish a binary 
XML characterization specification. 
That would depend on whether the 
exploratory committee determined that 
it would be possible to create a single 
specification that could be used in all sit- 
uations, Quin said. 

The working group's charter will 
expire in March. Then, the members 
will decide whether the organization 
should form a new working group to 
actually create such a standard. I 
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Palm OS to Run on Linux 



PalmSource execs explain the decision and dispel the rumors 



BY EDWARD J. CORREIA 

The days of shock and awe over 
Linux should by now be in die 
past for most people. It should 
therefore surprise no one that 
PalmSource plans to develop a 
version of Palm OS for Linux, 
right? 

But, apparently, it surprised a 
few — some of whom were quite 
vocal on palminfocenter.com 
and other message board sites 
about the move being a harbin- 
ger of doom for the software 
company. 

But according to Michael 
Mace, chief competitive officer 
at PalmSource, the purchase in 
December of smart phone soft- 
ware and Linux developer China 
MobileSoft makes sense for 
many reasons. "I think this 
makes the future better. If some- 
body was concerned about our 
viability because of the range of 
resources that Microsoft and 
Symbian have, or if they were 
worried about our long-term 
technology road map, this helps 
a lot in both areas," Mace said. 



In addition to CMS' technol- 
ogy, which includes mLinux, its 
mobile Linux distribution, a 
portable PIM suite and its 
developers, Mace said the move 
allows PalmSource to tap into 
the Linux community, which has 
its own special economics and 
has proven it can compete with 
Microsoft successfully over 
time. "It also makes innovation 
easier, and it's easier to get dri- 
vers and support for new types 
of components," and opens up 
new partnering opportunities 
with companies that want to 
work with Linux, he added. 

RUMORS ABOUND 

Mace said that a common mis- 
conception among bloggers has 
been that PalmSource is aban- 
doning its current Cobalt oper- 
ating system in favor of a Linux- 
based one. "Some people have 
focused on one piece of the 
deal with China MobileSoft 
[and think] that's the entire 
deal. What it means is that 
we're now going to be a compa- 



ny with more than one product 
line. We're not de-emphasizing 
one in particular. Our cus- 
tomers just wanted a variety of 
products from us." 

Of course, China's popula- 
tion of 1.3 billion potential 
phone users is no small incen- 
tive, Mace admitted, adding 
that previous efforts to pene- 
trate that market met with 
mixed success. "We got our 
operating system into Chinese 
and signed up some Chinese 
licensees. But we just weren't 
seeing the increase in momen- 
tum we wanted. It became 
clear that if you wanted to real- 
ly engage the Chinese market, 
you needed a strong native Chi- 
nese presence." 

CMS provided that pres- 
ence. "One thing you learn 
about the Chinese markets is 
that you have to build the con- 
tacts and relationships," ex- 
plained China MobileSoft CTO 
John Ostrem, who remains in 
that post. 

The move also will permit 



Palm OS to find its way onto less 
expensive devices, which Mace 
said already was part of the com- 
pany's strategy. 

Ostrem described two main 
CMS product lines: one that 
runs atop Linux and another 
for BTOSes running in low- 
end phones, including Mentor 
Graphics' Nucleus and VBTX 
and certain proprietary ones. 
"Our basic MMI [man-machine 
interface] product takes about 
1MB of memory" and runs on 
an ABM 7 or equivalent proces- 
sor. By comparison, the compa- 
ny typically recommends at least 
a 200MHz ABM 9 processor for 
Palm OS 6 Cobalt, said Mike 
Kelley, vice president of engi- 
neering at PalmSource. 

LINUX SYNERGY 

Kelley said that with Linux as its 
core, Palm OS offers new oppor- 
tunities for companies with Lin- 
ux expertise to apply it to mobile 
development. "There's a com- 
mon GUI target for a lot of the 
enterprise stuff, which is the 



browser. In enterprises that 
have deployed solutions that 
include HTML-based front 
ends, there are opportunities 
for building custom extensions 
under the hood for transaction 
processing, device management 
and security." 

Mace added that in prelimi- 
nary conversations thus far, the 
move has generated excitement 
among developers, who for the 
first time will be able to do cus- 
tom development and get at 
the Palm OS underpinnings. 
He also speculated at new 
potential partnerships "with 
companies that are building 
open-source enterprise infra- 
structure. IBM and Novell are 
obvious examples." 

Palm OS on Linux will be 
based on Protein APIs — the 
same APIs Cobalt developers 
use today. "But because the 
lower-level Linux services are 
there, a really ambitious Linux 
developer could bring over 
some other solution as part of 
their own model," said Kelley, 
referring to apps that might not 
need to use the Palm OS GUI. 
"But if you want to get ease of 
use and interoperation of the 
applications, you'll benefit from 
building on Protein." I 
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Application Security: 

Mindset Is What Matters 



On the trek through the application 
life cycle, overcoming security challenges 
is critical. But how do you get 
development teams to think that way? 




When it comes to developing 
secure software, writing code 
that can't be hacked is only half 
the battle. 
The bigger hurdle is getting develop- 
ment teams to embrace the idea that 
security is central to the design, coding 
and testing process. "Security is a mind- 
set, not an event or a process," said Jeff 
Scheidel, technical director at security 
company Kavado, in Stamford, Conn. 
Adopting that mindset is difficult 
because neither developers nor testers 
have been trained to think that way. 
"They are reluctant to do anything but 
get apps out the door," said Steve Orrin, 
vice president of security and technolo- 
gy at Waltham, Mass. -based Watchfire, 
which acquired application security ven- 
dor Sanctum last July. 

A growing array of offerings, includ- 
ing scanners that audit code as develop- 
ers write it, and "black box" tools that 
simulate hacker behavior before the 
application goes live (see sidebar "More 
Than One Way to Keep Code 
Safe," page 24), are helping teams 
decrease the vulnerability of their 
Web applications. But using such 
tools is not a matter of simply 
"pushing the big red security but- 
ton," said Gartner analyst John 
Pescatore. "Security is almost an 
entire new discipline to take on," 



added Scott Crawford, an analyst 
Enterprise Management Associates, 
Boulder, Colo. 



at ment the Secure Sockets Layer (SSL) 

in specification in the code, without paying 

careful attention to what is encrypted 

where, said John Viega, founder and chief 




BE SPECIFIC, PLEASE 

Begin by addressing security con- 
cerns in the requirements phase, 
said Boger Thornton, chief scientist 
at security start-up Fortify Soft- 
ware, in Palo Alto, Calif. "That's 
what drives dev teams into action." 
But given that security require- 
ments are "nil in most shops," 
teams need to identify what those issues 
are, he said. Specificity is key. 

For instance, a company designing a 
health-care application might stipulate 
that "all medical records are encrypted 
before filed on disk," and that such 
"records will never appear on the screens 
of users who aren't authorized to access 
them," said Thornton. Lack of attention 
to the nitty-gritty details can get teams 
into trouble. For instance, when people 
say, "Use SSL," developers simply imple- 



'QA is the perfect place to 
put this. A security problem 
is nothing but a defect ' 
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-Caleb Slma, co-founder and CTO of 
SPI Dynamics 



Development teams tend 
not to specify requirements 
at a granular level. 

—John Viega, founder and CTO of 
Secure Software 



technology officer of Secure Software, a 
McLean, Va. -based company that sells 
application security software and ser- 
vices. "If you don't get SSL right the first 
time, it's still exploitable." 

Viega also noted that while most 
companies identify user authentication 
and authorization as a security require- 
ment for Web applications, they fail to 
recognize other access control issues, 
such as the need to validate the credit- 
card and Social Security numbers users 
enter into Web forms. That can 
result in a breach known as a 
buffer overflow, where a hacker 
can potentially gain control of an 
application by inserting malicious 
code in the form. Development 
teams tend not to specify require- 
ments at a granular level, he said. 
"They keep it high-level." 



There are other issues to address at 
the design stage as well. "Am I going to 
harden my operating system, keep peo- 
ple from executing shell commands? 
Can the application handle the 
expected throughput, safe- 
guarding against a denial-of-ser- 
vice attack?" said Kavado's 
Scheidel. "Security hasn't nec- 
essarily been a requirement of 
the system. But it has to be 
baked in from the beginning," 
added Bob Straight, product 
manager of tool maker Compuware's 
DevPartner offerings. 



'NOT IN MY CODE' 

Tough as it is to talk security at design 
time, it's harder still to get coders to buy 
into the idea of using tools that scan for 
potential flaws as the application is devel- 
oped. "Thinking about how someone 
would go about hacking into their code 
isn't something developers have had to 
consider," said Melissa Webster, an ana- 
lyst at research firm IDC, noting that 
until the past few years, security was 
addressed through network firewalls, 
managed outside the developer's domain. 
What's more, developers are creative 
types, who think in terms of making 
things work. "They look at the glass and 
see it as half full," she said. 

► continued on page 25 
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More Than One Way to Keep Code Safe 



BY JENNIFER DEJONG 

Two types of tools dominate the 
application security market: 
those that inspect source code to 
pinpoint possible flaws as an 
application is developed, and 
those designed to "attack" the 



application in the testing phase, 
in much the same way that a 
hacker might. 

Those in the first category 
are typically known as source 
code analysis or vulnerability 
testing tools, while the second 



group is referred to as "black 
box," "attack simulation" or 
penetration testing tools. 

A third, smaller category, 
called runtime analysis, "watch- 
es" an application during the 
debugging stage, looking for 



things such as poorly written 
error handlers and excessive 
account privileges, which a 
hacker could exploit. Many 
vendors also include a reporting 
component with their software, 
providing management with 
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metrics on the overall security 
of a company's applications. 

Source code analysis offer- 
ings identify issues such as 
buffer overflows, where a hacker 
can input data to gain control of 
an application; SQL injections, 
which manipulate SQL queries 
to access unauthorized data; 
race conditions, where separate 
threads access the same data at 
the same time; and weak pass- 
words that can be cracked with 
random number generators. By 
scanning code as developers 
work and offering advice on how 
to fix potential flaws, such offer- 
ings help re-enforce secure cod- 
ing practices, said Melissa Web- 
ster, an analyst at research firm 
IDC. 

By contrast, black-box tools 
are used by QA professionals 
who simulate hacker behavior by 
attempting to trick an application 
into giving up information. Tests 
include running SQL statements 
against the database, running 
cross-site scripts, and making 
sure the app validates data such 
as credit-card numbers that users 
typically enter in Web forms. 

Most application security 
vendors provide only one or two 
of the solution types. "But in 
the long run, we will find more 
and more application security 
vendors offering all three," Web- 
ster said. I 



SCHOOL OF 
SECURE CODING 



It's tough for developers to 
write secure code when no 
one taught them how to do it. 
One application security firm 
plans to address that problem 
at the source: Ounce Labs is 
teaming up with universities 
to help teach budding soft- 
ware engineers the art of 
secure coding. 

The Waltham, Mass. -based 
company announced last month 
the creation of the Secure 
Foundations Initiative. To date 
the program has committed 
more than US$500,000 in 
software and research grants 
to help three universities — 
George Washington, Purdue 
and Southern Methodist — 
teach secure coding practices 
to computer science and engi- 
neering students. 

Ounce Labs CEO Jack Dan- 
ahy said in a statement: "The 
industry as a whole must make 
proper coding technigues a top 
priority." —Jennifer deJong 
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Mindset Counts When It Comes to App Security 



< continued from page 21 

Convincing developers that 
their code could be anything less 
than 100 percent secure can be 
an uphill battle, said George 
Langan, president and CEO of 
Mountain View, Calif.-based 
Reasoning, which sells source 
code inspection services. "You 
show them a potential security 
opening picked up by a source 
code scan, and they say, 'That's 
an unlikely code path. It would 
never happen in my code.' " 

Such objections are not 
entirely unfounded. "Early gen- 
erations of the tools had a lot of 
false positives," said Gartner's 
Pescatore. "So developers said, 
'See, the tools don't work.' " But 
the current crop identifies legit- 
imate issues, he added. 

Using them can help devel- 
opers understand the implica- 
tions of every programming 
decision they make, said Dje- 
nana Campara, CTO and 
founder of Klocwork, which sells 
application security software and 
services. It's not that program- 
ming practices, such as using the 
stringCopy library to copy data 
into memory, are in and of them- 
selves flawed, she said. But in an 
environment where "hackers are 
chipping away at the application 
stack," such practices are no 
longer adequate. "We are at the 
new era of software develop- 
ment," she said. There is no 
going back to past programming 
practices, which do not produce 
secure software. 

To get programmers on 
board with the new thinking, 
application scanning tools 
should also point out what they 
are doing right, said Alan Him- 
ler, vice president of product 
management at Pittsburgh- 
based LogicLibrary, which 
acquired application security 
software from BugScan, a divi- 
sion of HBGary, in Sunnyvale, 
Calif., last year. "No one is 
going to give their boss a report 
that says, 'Here's what I did 
wrong,' " he said. 

A HIGH-PAYLOAD BUG? 

While scanning applications as 
they are developed is impor- 
tant, some say that from a 
process standpoint, application 
security can be more effectively 
addressed in QA, where simula- 
tion tests, which mimic poten- 
tial hacker attacks, are run 
alongside functional and per- 
formance tests. "Security is just 



another aspect of quality," said 
Compuware's Straight. 

Although QA professionals 
haven't had to deal with securi- 
ty per se, their mindset may be 
better suited to the task than 



that of coders. "They are used 
to picking things apart," said 
IDC's Webster. 

Caleb Sima, co-founder and 
CTO of software security vendor 
SPI Dynamics, in Atlanta, 



agreed. "QA is the perfect place 
to put this," he said. "A security 
problem is nothing but a defect." 
Because they are "high-payload 
bugs," developers will be quick 
to address them, Webster said. 



But, ultimately, all team 
members must own security, 
said Kavado's Scheidel. "Every- 
one in [the application develop- 
ment life cycle] is responsible 
for it." I 
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EDITORIAL 

SCO Away 

How far The SCO Group as fallen. The company 
made waves in 2002, scared enterprise IT managers 
in 2003, and fizzled in 2004. Last year, this newspaper 
recognized the company's negative influence as part of 
the SD Times 100, saying in the May 15 issue, "The com- 
pany's legal assaults on IBM and Linux users dominated 
2003's tech headlines and shook up the open-source com- 
munity. No other IT topic inspires such fervent debate, 
fear, uncertainty and doubt." 

That was then. Today, nobody seems to fear the reper- 
cussions of SCO's intellectual property claims against 
Linux. The company's most recent public statements 
have focused on its products, such as UnixWare and 
OpenServer, and the new SCOoffice Server system, and 
on its recent successes in capping the expenses caused by 
its lawsuits. 

Yet the company's software can't get traction, because 
whenever anyone writes about SCO, all they can focus on 
is the Linux lawsuit. Despite praise from reviewers, many 
journalists, analysts and prospective customers don't take 
the company's products seriously. Everyone is busy wait- 
ing for the legal shoe to drop. 

At this point, SCO would undoubtedly like the bruis- 
ing, distracting IP battle to go away. Rather than continu- 
ing to hype its case with acerbic quotes from CEO Darl 
McBride, the company's home page doesn't even 
acknowledge the legal furor it created with high-profile 
suits against IBM, Novell, AutoZone and Daimler- 
Chrysler. That's fine. Nearly nobody else is talking about 
them either. 

A more tangible indication of the company's decline is 
the drop in licensing revenue from SCOsource, the pro- 
gram set up in January 2003 to extort money from Lin- 
ux users by promising indemnification. "End users who 
purchase this license will be covered for their use of 
SCO's intellectual property in binary format in Linux 
distributions on the licensed system," the SCOsource 
page explains. 

Despite some high-profile signers, like Microsoft 
(which was accused of using SCOsource to subsidize 
SCO's assaults on Linux), SCOsource didn't catch on, as 
the company's fourth-quarter numbers reflected. Total 
revenue for the quarter dropped from US$24 million for 
the fourth quarter of 2003 to $10 million for the similar 
quarter in 2004, mainly as SCOsource's revenue 
dropped from $10.3 million to $120,000 — a decline of 
98.8 percent. 

The financial markets haven't approved. The prospects 
always were dicey; the company lost money on opera- 
tions, but there was a big hope of a payoff if its lawsuit 
against IBM succeeded. There's not much hope left: At 
year's end, the company's stock was down to $4.47, declin- 
ing from the year's high of $18.24. The market cap has 
declined to a mere $78 million. 

While SCO remains an active company and the intel- 
lectual property lawsuits still exist, it's time for McBride 
to go. The Linux lawsuit and fear-uncertainty-doubt strat- 
egy were his brainchild. McBride s leadership and bluster 
over the past several years haven't well served his com- 
pany, his shareholders or his customers. We need a fresh 
start to a company with a long and otherwise distin- 
guished heritage. I 



Are Web Services the New CORBA? 



Surely, you remember the 
good old days of CORBA. 
The promises were grand and 
many. CORBA would solve any 
integration problem in the 
world. "Really" interoperable 
inter-ORB communication was 
just one minor version away. No 
additional skills were required 
to turn Java or C++ code into 
object-oriented client/server 
applications. Security would be 
addressed by an additional 
specification. 

It seemed that everybody, 
except Microsoft, of course, was 
jumping on that bandwagon. 
And for good reason: Many of 
us were fascinated by the 
promise of a portable technolo- 
gy that would allow applications 
written in multiple languages to 
cooperate on multiple plat- 
forms. Having the ability to do 
this at an object-oriented level of 
abstraction just put the cherry 
on the sundae. 

I plunged into CORBA in 
the early 1990s using Orbix, 
VisiBroker and the occasional 
free ORB, but my initial enthu- 



siasm was quickly dampened. 
The potholes were numerous — 
extra payments were needed 
for things like naming services; 
other pieces didn't work exactly 
as described; and critical fea- 
tures (revolutionary items such 
as value arrays, for example) 
were not ready for 
prime time. On top 
of all that, finding 
people who had both 
client/server and 
C++ skills and knew 
how to clean up 
behind their CORBA 
requests was like 
winning the lottery. 

To be a good 
CORBA developer, it 
was necessary to have 
expertise in many different 
areas. As a practical matter, this 
wasn't possible for a critical 
mass of developers. Conse- 
quently, the lack of well-round- 
ed CORBA developers doomed 
many projects to fail. Yes, I 
know — there were, and still are, 
examples of successful CORBA 
projects. But the fact remains, 
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even though the technology 
basically worked as advertised, 
CORBA's complexity prevented 
it from achieving its initial 
promise. 

Most companies came to the 
same conclusion. Software ven- 
dors steered away from COR- 
BA and toward en- 
terprise application 
integration (EAI) 
products. However, 
under the hood, EAI 
was often still the 
old CORBA server, 
but with new fend- 
ers and a shiny new 
spoiler. While EAI 
products offered 
some benefits, its 
high cost made it 
unaffordable for most organiza- 
tions. Additionally, EAI locked 
customers into a proprietary 
approach, and the complex 
nature of the technology 
required an army of service 
consultants. 

Fast forward to todays world 
of Web services and service-ori- 
ented architectures (SOAs). 



Letters to the Editor 



BLUNT TALK ON JCP 

While I think that Allen Holub 
was somehow harsh on the JCP 
process in general ["Do We Real- 
ly Need the JCP?" Dec. 15, 2004, 
page 29, or at www.sdtimes 
.com/cols/javawatch_116.htm], I 
commend him for speaking out 
bluntly about the abysmal issues 
related to the J2EE technology, 
and on the cost effects that these 
have had on the industry. 

I agree with Mr. Holub, and I 
think the JCP has to change, or it 
has to go — I am not quite sure 
what is the minimally disruptive 
model for the change. Maybe at 
the minimum, the JCP should be 
open to "change requests" and 
continuous feedback from die 
trenches, similar to open-source 
projects. For every open-source 
project, there is a mailing list drat 
allows users of die product or 
aspiring product developers to 
express what should be added to 
die product, and how 

The JCP process has been 
operating in an "Ivory Tower" 
mode for too long, and I am 
afraid it is going to cost it its 
head. 

Furthermore, I blame anoth- 
er of Sun Java's Ivory Tower 
inventions — "J2EE blueprints" — 



for the state of die J2EE world 
today. We have numerous sys- 
tems out there that are extreme- 
ly complex, often poorly per- 
forming and demanding to 
maintain, but that are architect- 
ed in concordance with the acad- 
emic J2EE blueprints. It seems 
like these blueprints are there to 
give technologists an idea, and 
the justification for building the 
complicated systems. I think that 
"Revolution of Simplicity" led by 
the AOP, Spring and Hibernate 
efforts is going to change that. 

Edition Beqoli 
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SPEC BACKLASH 

Yvonne L. Lees article ["WS- 
Discovery Finds Web Services 
Without the Load of UDDI," 
Dec. 1, 2004, page 13, or at www 
.sdtimes.com/news/1 15/storyl4 
.htm] discusses the recent WS- 
Discovery "specification" in the 
context of Web services and in 
relation to UDDI. What the 
author fails to explain or even 
imply is how WS-Discovery is 
actually related to UDDI. The 
first sentence (in section 1. 
Introduction) of the spec is: 



"This specification defines a 
multicast discovery protocol to 
locate services." In section 1.2. 
Non-Requirements, it is stated: 
"This specification does not 
intend to . . . support Internet- 
scale discovery." 

In other words, WS-Discov- 
ery is essentially only intended 
lor use in a LAN setting, 
whereas most uses of UDDI 
that I'm familiar with are 
intended to address "Internet- 
scale discovery." I'm certainly 
not the only developer interest- 
ed in using something along 
the lines of UDDI but "With- 
out the Load of UDDI." WS- 
Discovery isn't it, although the 
article's headline and content 
imply that it is. 

The word specification is in 
quotation marks above because 
WS-Discovery is one of the 
plethora of recent WS-xxx pub- 
lications that in my opinion 
have less to do with useful tech- 
nology than with marketing and 
PR. Although Tm a believer in 
using XML over standard pro- 
tocols (i.e., SOAP over HTTP 
or HTTP/S) when building new 
networking applications where 
speed and latency are not 
issues, I also believe that there's 
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Web services will purportedly 
solve any integration problem in 
the world. The Web services 
interoperability stack is almost 
here. Java and C++ developers 
can write client/server applica- 
tions without requiring addition- 
al training. A Web services secu- 
rity specification is done and 
implementations are becoming 
available. All the big players, 
even Microsoft this time, are 
jockeying for position in the 
emerging Web services market. 

DEJA BOOM 

Is it me, or does all of this seem 
eerily familiar? I can't help 
comparing todays Web services 
hype to the CORBA boom of 
the 1990s. 

What happened and which 
technological revolution did I 
miss that makes all this a reali- 
ty? It must have been XML and 
SOAP. But wait— while XML is 
a great way to store and 
exchange information, it does 
so in a very verbose manner. 
And SOAP is really just another 
RPC protocol that happens to 
use XML instead of a binary 
data representation. 

Deploying Web services 
requires a stack that includes 



XML parsers, Web servers and 
additional infrastructure. I just 
don't see that huge a difference 
between what Web services 
offers to me today and what 
CORBA offered to me five 
years ago. Back then, I needed 
to know IDL (Interface Defini- 
tion Language). Today, I need 
to know all the different Web 
services schemas. And keeping 
track of the various standards 
and specifications is another 
enormous challenge. 

It is going to be very interest- 
ing to see how enterprises main- 
tain their Web services-based 
infrastructures and whether 
their SOAs withstand the test of 
time. Rolling out a new version 
of a Web services-based applica- 
tion will present the same prob- 
lems that rolling out a new 
CORBA service had. Versioning 
services has always been a prob- 
lem and will remain a problem 
in the foreseeable future. Keep- 
ing Web services-based infra- 
structures working in an orderly 
fashion without huge increases 
in TCO will be difficult. 

I am a big proponent of 
using the right tool for the right 
job, and Web services are being 
oversold right now. Web ser- 



vices are great when it comes to 
large-scale system integration 
across the network, but when 
used inappropriately, they can 
introduce more problems than 
they solve. 

Just consider a Web ser- 
vices-based local API integra- 
tion that does not deploy Web 
services security because it is 
assumed to be safely behind 
a firewall. A breach of the 
firewall might expose that 
application to attacks that a 
tighter programmatic integra- 
tion would not be facing. 

Also, think about the addi- 
tional failure modes that your 
application will have to deal 
with, including lookup failure 
and server timeouts. In fact, 
there are many integration 
problems where alternative 
approaches are far superior in 
terms of security, performance, 
ease of use, developer produc- 
tivity and cost. 

All that being said, you 
might get the idea that I don't 
like Web services. Not true. 
Web services are here to stay, 
and that is good — we just need 
to develop perspective on what 
works and what doesn't. 

This new year of 2005 will 



bring us closer to a more realis- 
tic assessment of Web services. 
Developers will see the flood of 
new specs begin to slow. Propri- 
etary specification extensions 
will not be as well received as 
they once were. Design blue- 
prints will be created to help 
architects and developers with 
creating better integration solu- 
tions. And, most important, we 
will learn from stories of both 
successful and failed Web ser- 
vices integration projects. 

Web services are yet another 
tool in our increasingly large 
arsenal of integration approach- 
es. They have many admirable 
characteristics and will make a 
valuable contribution in help- 
ing businesses operate more 
efficiently and serve customers 
better. Let's just make sure that 
when we choose Web services, 
we do so because they are the 
appropriate solution for each 
integration problem and not 
because we have a free Web 
services stack sitting around 
with nothing to do. I 

Alexander Krapf is president 
and co-founder of CodeMesh, 
which sells Java, C++ and .NET 
integration tools. 
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Application development managers that received a salary 
increase between 2002 and 2004 are in the minority, according 
to the Salary Survey 2004, published in June by Enterprise Sys- 
tems, an information technology research analysis firm. 

In fact, had it not been for bonuses given in 2004, which aver- 
aged at around US$7,100 or about 8 percent of base salary, AD 
manager salaries would have fallen by about 6 percent over that 
period of time. Instead, the average rose by approximately 2 per- 
cent to $87,500; bonuses made up the difference. 

The survey showed that a typical AD manager-that is the per- 
son responsible for planning and directing all day-to-day applica- 
tion development functions-will earn about $83,000 at the entry 
level and increase to around $93,000 after 10 years on the job. 
Salary will grow slightly for the next 10 years, but flattens out 
when experience reaches 20 years and more. 

When separated by operating system, development managers 
of projects targeting Linux and OS/400 are paid most handsome- 
ly at slightly more than $92,000 on average. 
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a new specification on the 
way — WS-Backlash — and it's 
not going to be pretty. If you've 
recently bet your job on WS- 
Hype, you're going to be in for 
a rude awakening. WS-xxx is 
not a silver bullet. Some of WS- 
xxx has concrete efforts behind 
it. The rest is self-serving junk. 

Robert Prince 

Northrup Grumman 

MONOCULTURE'S REAL LESSON 

I saw Jeff Duntemann's article 
"The Lessons of Software Mono- 



culture" [Nov. 1, 2004, page 28, 
or at www.sdtimes.com/opinions 
/guestview_113.htm], and found 
it entertaining. But I am hoping 
you were intending to also pro- 
vide information. 

Mr. Duntemann talks about 
Internet Explorer's (in)security 
problems arising because of its 
being too popular and so prone 
to attacks. He also mentions the 
Apache Web server under 
"minority products." 

However by now it is folk- 
lore knowledge that the Apache 



Web server is not a minority 
product and not vulnerable 
like Internet Explorer (see 
"Myth: Widespread use equals 
widespread abuse" at www 
.desktoplinux.com/articles/AT5 
785842995.html). 

Why publish sloppy articles? 

Stephan Wehner 

CORRECTIONS 

Gluecode JOE runs on a Java 2 
Standard Edition platform. A 
story in the Jan. 1 issvie incor- 
rectly reported that JOE is cer- 



tified for the Java 2 Enterprise 
Edition platform. 

The latest release of Etnus' 
TotalView debugger is 6.6. The 
version number was incorrectly 
reported in the News Briefs in 
the Dec. 15, 2004, issue. 

Letters to SD Times should include the 
writer's name, company affiliation and 
contact information. Letters become the 
property of BZ Media and may be edited. 
Send to feedback@bzmedia.com, or fax 
to +1-631-421-4045. Please mark all cor- 
respondence as Letters to the Editor. 
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Teach Your Programmers Well 



Regardless of what people say about 
how they develop software, the best 
way to find real priorities is to look at the 
departmental budget. Things get partic- 
ularly interesting when the perceived 
needs of the managers are not reflected 
in those budgets. 

Enterprise Systems just published an 
interesting budget survey based on the 
voluntary replies of 250 subscribers, half 
of which are senior management. (You 
can see this survey at www.esj.com 
/surveys/itbudget2004.aspx.) 

In that study, the disconnect between 
needs and spending struck me forcibly in 
two areas: training and staffing. The top 
four areas where the managers were 
planning to reduce spending were desk- 
top software, desktop hardware, staff 
head count and training. 

Cutting out unnecessary hardware 
and software purchases doesn't seem 
like a bad idea, but cutting head count 
and training is a problem, especially 
when you compare these cuts with the 
top three items in the "What new IT ini- 
tiatives are on your IT wish list?" catego- 
ry: staff salaries, staff training and staff 
head count. The No. 1 item in the "What 
one skill does your IT department need 
to develop most?" category is "technical 
proficiency." 



To quote astronaut James Lovell: 
"Houston, we have a problem." 

I strongly believe that you can't pro- 
duce even moderately acceptable soft- 
ware without excellent programmers. I 
also believe that it takes longer to develop 
mediocre programs than it does to pro- 
duce good ones, and mediocrity is the 
best you'll get out of an 
untrained staff. 

Though excellence is 
important, it's not innate. You 
achieve excellence by superb 
training and constant practice. 
By superb training, I mean 
classes taught in the flesh by 
experts in the field, not online 
courseware churned out by 
some education mill. The 
online stuff is no better than 
reading a book — it's not useless, but you 
get what you pay for. 

Unfortunately, our university system 
falls down on the superb-training front. 
A degree is, more and more, a job 
requirement, but most experienced pro- 
grammers consider someone fresh out 
of school to be useless when it comes to 
doing real work. Programmers don't 
become productive until they've worked 
on nontrivial projects for at least a few 
years, but even those years don't guaran- 




tee an excellent programmer. Since our 
universities aren't doing the job, you'd 
expect employers to make up the differ- 
ence by training their workforce. Most 
companies don't do that, so the program- 
mers who work for those companies nev- 
er get better — they just get older. 

I blame this problem primarily on a 
too-strong emphasis on train- 
ing for specific technologies — 
how to write an EJB, for 
example. This tunnel vision 
produces people who know a 
specific technique but not 
how to program in general. 
J These people are ill-equipped 
■ to make technical decisions 
'-If/jJ) outside of their narrow prac- 
jrwf ,i ■ tice area, but in most shops, 
"--—-? they are called upon to do 
exactly that. An EJB specialist should 
simply not be allowed to make decisions 
about UI or database architecture, for 
example. It's as if you relied on your der- 
matologist to do heart surgery. 

Moreover, a too-narrow focus guar- 
antees bad long-term decision-making. 
Technology changes. Whatever effort 
you've spent learning the technology of 
the week is money down the drain once 
that technology becomes obsolete. By 
focusing on specific technologies, you 



eliminate from your workforce all peo- 
ple who are good enough to see that a 
particular technology is inappropriate 
for a particular application. For that, you 
need a generalist. 

So, it's not just the lack of training that's 
a problem; it's also the narrow focus of 
what little training is provided. Knowing 
how to design, for example, is an essential 
programming skill, but design training 
seems to be one of die first things to go 
when die budget ax comes down. 

Perhaps it's the mistaken belief diat a 
single brilliant architect can handle all the 
design issues and the drone programmers 
don't need to know why certain decisions 
were made. Design is an ongoing activity 
that happens every time you write a line of 
code, however. If you don't know design, 
you can't write good code. 

Many companies seem to believe that 
you can hire excellent programmers, but 
the hiring practices of those same com- 
panies, by focusing on specific technolo- 
gies, almost guarantee the opposite 
result. In any event, staff head count was 
being axed, too. 

Your best bet is to educate your exist- 
ing staff, not replace them. Sure, good 
training is expensive, but the cost in lost 
productivity is more expensive. You can't 
afford not to do it. I 

Allen Holub is an architect, consultant 
and instructor in C/C++, Java and 00 
Design. Reach him at www.holub.com. 
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Blind Spots and Frequent Testing 



The requirement that submissions to 
open-source projects be accompa- 
nied by unit tests reflects the trend 
among developers to perform frequent 
unit testing (FUT). I coin this acronym 
because I need to capture this compara- 
tively new activity. It's one step down 
from Extreme Programming's Test- 
Driven Development (TDD) in that the 
code is written first (then immediately 
tested). My perception is that many 
exponents of TDD eventually drift into 
FUT. The tendency to write code first is 
both natural and expedient. 

The trouble with FUT is that the 
tests and code are developed nearly in 
tandem, and so they fit each other well. 
Tests frequently focus on the main use 
case and then add the occasional edge 
value to make sure maximum, minimum 
and special values do not break the code. 
Not surprisingly, the test cases reflect 
the code already in the routine. The 
result is that the tests simply reinforce 
the perception that the code is function- 
ally correct, without in fact really exer- 
cising potential weaknesses. I'll come 
back to this in a moment. 

A second problem, which needs 
attention if FUT ever is to do more than 
baseline validation, is to design frequent 
larger-than-unit tests. (I'll avoid a new 



acronym here.) Unit tests are very much 
a bottom-up experience, designed and 
performed at a low level. They inspire a 
false confidence that the functionally 
correct units work together properly. 
This higher level of correctness, fortu- 
nately, is covered by standard testing 
tools that can drive cross-unit interfaces, 
simulate transactions and test 
systems under load. The trou- 
ble is, these tests are not run 
as frequently as unit tests 
because they take longer to 
develop and run — meaning 
that feedback to the develop- 
er is never immediate and 
often distant from the coding 
work by days, weeks, even 
months. 

These larger tests are typi- 
cally written by QA and test engineers 
rather than the developers themselves, 
and as a result they are less prone to 
testing what is already known to work. 
Testers can see in the code things that 
developers miss. 

Between these two levels exists the 
code review, which generally comprises 
more than a single unit and is performed 
by other developers. Code reviews are 
great for enforcing standards, locating 
what Extreme Programming calls 
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"smells," and making sure that project 
coding is on track. 

The problem is that reviewers tend to 
share the same blindness that affects the 
original developers, whether it comes in 
the form of skimming code constructs 
that are familiar, or similarly judging 
whether a given routine will ever be exe- 
cuted with, say, pathological 
data. These assumptions can 
be deadly wrong. 

The explosion of the Ari- 
ane 5 rocket in 1996 was 
traced to an integer-conver- 
sion error. None of the man- 
agers who signed off on the 
code expected values would 
reach a level sufficient to 
cause an exception. When the 
values did, the code blew up, 
taking the rocket with it. 

This well-known example should not 
be dismissed as a one-off example of 
human error. Programmer blind spots 
are everywhere. Consider one that 
amazes me, mostly because it is so con- 
spicuous and never, ever handled: the 
command-line switch. Under Unix, Lin- 
ux and Java, the default command-line 
switch begins with a hyphen. Under all 
three environments, filenames that start 
with a hyphen are also legal. Yet I have 



never seen a parser that checks a com- 
mand-line argument that begins with a 
hyphen to make sure it's not a parameter. 

Even enterprise-safe JVMs screw this 
up. Try running Java on a file called 
-help. class; it won't work. If you think 
filenames that begin with a hyphen are 
so rare as to not be worth testing, I would 
suggest you read the Ariane report, 
which is widely available on the Web. 

FUT cannot deliver more reliable 
code until developers change their 
approach to testing and validation. The 
operating principle today is: "The code 
works, and I'll write tests to prove it." 
The principle must become: "The code 
does not work under all circumstances, 
so what test can I write to break it?" 

Today, only one group of program- 
mers I know of does this: the folk who 
worry about security. They correctly 
view all forms of input data as malicious 
and pore over programs to find ways in 
which malicious data could unhinge 
code. As a result, their testing is com- 
pletely different: They look for perverse 
cases, document areas that could be 
weakened, and try to dream up ways in 
which their programs can fail. 

Until developers and testers become 
more oriented this way, overall code qual- 
ity and reliability will still fall short of 
what we should be delivering with FUT. I 

Andrew Binstock is the principal analyst 
at Pacific Data Works LLC. 
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Community Technology Previews or 
desktop search? Desktop search or 
schedule slips? Ceo or desktop search? 
What a depressing way to end the year. 
Don't get me wrong, I'm as happy as the 
next guy not to have to deal with that 
stupid dog anymore (what is with 
Microsoft and its belief in annoying ani- 
mated helpmates?), but I just can't get 
worked up about the battle of the find 
and grep commands. "But it's Google 
versus Microsoft! 'Don't be evil' versus 
The Borg from Bedmond! It's the story 
of the year!" Sheesh. 

Search is an interesting field, but not 
when it's a question of keywords and 
indices. Search is interesting when it's a 
question of relevance in an 8-billion- 
page World Wide Web. On the desktop, 
even on desktops with hundred-gigabyte 
drives, search is only interesting to the 
extent it involves digital photos and 
videos. Which is why the second slip of 
WinFS is a much bigger deal than the 
release of Microsoft's desktop search 
toolbar. 

That the current advances in desktop 
search is a big deal is a testament to the 
moribund utility software market. For 
years anyone interested in quickly find- 
ing files on his PC could use Copernic, 
XI, LookOut or any of several other 



Windows &. NET Watch 



Search and Delay 

products. LookOut, in particular, solved 
a crucial need in that it dealt with Out- 
look, whose monolithic, always open, 
always growing file structure would be a 
finalist for any "Most Troublesome 
Design Decisions in an Essential Appli- 
cation" award. Microsoft acquired Look- 
Out earlier this year. (Ironically, "Is 
LookOut used in Microsoft 
Desktop Search?" gives no 
relevant results on the first 
pages of either Google or the 
beta of MSN Search.) 

It's not the utility vendors 
that are to blame for their rel- 
ative lack of visibility. They've 
been innovative all along. 
Excuse the tangent, but a new 
program called Consistency is 
a great example of a useful 
idea, executed perfectly. It is a To-Do 
List manager for tasks with fuzzy fre- 
quencies (like "Get a haircut" or "Go for 
a hike"), and I registered my copy min- 
utes after installing the trial. Check it 
out at www.sciral.com. Now, back to our 
regularly scheduled column. . . 

Of course, I'm as happy as the next 
guy to be able to search within PDFs 
and within image metadata, and I like 
the "Search folders" within Outlook and 
would love to have such things for my 




file system. However, aside from e-mail, 
the files that mostly accumulate in baf- 
fling, messy ways are digital media. And 
the interesting problem with digital 
media isn't searching the metadata; it's 
adding the metadata. This can be most 
clearly seen in cases where the issue has 
been solved — the most obvious of which 
is music CDs. 

When you pop a CD into 
your drive, virtually all media 
players will shortly identify 
the CD. This is done by com- 
paring the order and length 
of the files on the CD versus 
online databases such as 
Gracenote's CDDB. It's an 
elegant solution and an 
important enabler of legiti- 
mate ripping (if one had to 
rename every song as it was being 
ripped into the computer, the tempta- 
tion to use P2P networks would be much 
higher). In addition, there are a number 
of de facto standard formats for the 
metadata and playlists and so forth, all of 
which make possible the not-shabby-at- 
all auto-playlist and related-artists fea- 
tures that help make the digital music 
experience quite compelling. 

Similarly, a single piece of automati- 
cally generated metadata — the date the 



image was taken — has turned out to be 
the most valuable thing in picture-man- 
agement software. Also, because this is 
an easily determined piece of data, it can 
be combined with other date-based 
information to create new tools, such as 
photo albums linked to maps via GPS 
tracks. (See, for instance, Microsoft 
Besearch's World-Wide Media Exchange 
at www.wwmx.org). 

In both these examples, the metadata 
combines both personal and Web-avail- 
able data to create a better organization. 
"Googlizing the desktop," especially with 
proprietary indices, is nowhere near as 
compelling. This is why there was the 
mid-December announcement of a sec- 
ond major slip in WinFS. The metadata 
store, originally one of the "Pillars of 
Longhorn," had already slipped out of 
Longhorn Client, and Windows Server 
chief Bob Muglia now says that it won't 
ship in Longhorn Server either. Muglia's 
description of WinFS' viability couldn't 
be less reassuring. Perhaps it will ship in 
a Longhorn update in several years, but 
"that would be the earliest." 

Will WinFS ever ship? I wouldn't bet 
my company on it. "No more animated 
dogs" is all well and good, but if it's the 
best Microsoft can do, then Bedmond is 
in trouble. I 

Larry O'Brien is a technology consul- 
tant, analyst and writer. Read his blog at 
www. knowing, net. 
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The value of training and education 
cannot be overstated. It is the foun- 
dation upon which the global technology 
arena is based. Yet despite years of warn- 
ings of worker shortages and a talent pool 
ill-equipped to handle the newest — and 
oldest — technologies, it still represents 
too small a part of most IT expenditures. 

American universities cite declining 
numbers of computer science 
majors. Certain aspects of the 
software life cycle — most 
notably architecture and test- 
ing — are being taught in fewer 
and fewer colleges. Jobs that 
could be going to Americans 
instead go to foreign nationals. 

Well, that's good for them, 
and it could be good for us — 
but only if training becomes a 
matter of public policy, 
according to Marc Hebert, executive 
vice president at Sierra Atlantic, a soft- 
ware company headquartered in Silicon 
Valley that does a lot of work offshore. 

Technology companies are fretting 
about the lack of good technical gradu- 
ates in the United States, and recently 
successfully lobbied the government to 
add 20,000 Hl-B visas granted to for- 
eign nationals to work in the U.S. An 
omnibus bill raising the total number of 
visas to about 85,000 was passed in 
November. Without the increase in 
visas, companies would not have the 
skilled labor they need to remain com- 
petitive, believes Hebert. 

Hl-B visas, which let foreigners 
work in the U.S., are given to foreign 
nationals sponsored by U.S. companies. 
Often, they go to people here on student 
visas that companies identify as someone 
who can help them. When they gradu- 
ate, and their student visas are invalidat- 
ed, they are granted Hl-B visas by a 
company to stay and work. This is not 
done as a way to find inexpensive labor. 
Companies employing foreigners in the 
U.S. find themselves having to pay the 




prevailing wage for that job or skill set. 
No, it's simply about finding the workers 
they need to keep their companies mov- 
ing forward. 

The U.S. government can do more, 
far more, to encourage youngsters to 
study science. In the 1960s, the U.S. 
space program inspired a generation of 
students to enter the science and engi- 
neering fields, culminating in 
Neil Armstrong's "giant leap 
for mankind." Today, Hebert 
said, governments and fami- 
lies are not doing enough to 
encourage children to study 
science. 

Unfortunately, most of the 
stories young people see 
today in the general press 
about technology and busi- 
ness involve exploiting over- 
seas workers to cut costs, and greedy C- 
level executives who use accounting 
fraud to falsely inflate revenue figures 
and gain big bonuses. 

But education is not just about 
putting students onto a science track. 
What about those technology workers 
who lose their jobs when their compa- 
nies decide to send their work overseas? 
The argument is that these workers are 
now freed up to move into positions 
demanding higher skills, while the work 
they were doing is declared menial — the 
industry word is "commoditized." But 
who's offering this training? Is it incum- 
bent upon the worker to go back to 
school? Almost everyone would agree 
that the training you receive in school 
isn't always in sync with what you need 
to know in the workplace. And, will they 
be guaranteed a job once they go 
through the retraining? 

Most companies that outsource work 
are not offering training courses ahead 
of time, to be able to move loyal workers 
into these jobs that require a higher skill 
set without skipping a beat. There is 
pain and upheaval. 



What about companies that are rely- 
ing on older systems and mainframes, 
which are largely maintained by older 
workers who learned COBOL, CICS 
and other skills that now seem out of 
step with the loosely coupled Web ser- 
vices environments being created? How 
can they keep a stable of workers knowl- 
edgeable in those technologies? 

And what about software security? 
Developers and programmers who are 
now being enlisted in the fight to secure 
software often are not aware of the types 
of vulnerabilities hackers look for to 
hang up or bring down an application. 
How are they to get those skills? 

First, companies must begin to make 
sizable investments in training. Send 
workers to classes, conferences and 
training seminars. Give them materials 
to improve their skills. Give them a rea- 
son to do this, by having a plan for their 
new role in the company once they com- 
plete the training. 

Companies also can look to their soft- 
ware vendors for help. For instance, as 
developers begin to use tools to help 
them do functional testing and to test for 
secure software, they are learning about 
what hackers look for. 

"The tools are only as good as our 
body of knowledge of the vulnerabili- 
ties," said Ron Moritz of Computer 
Associates, who has been working with 
the National Cyber Security Division of 
the U.S. Department of Homeland 
Security. "There are a half-dozen or 
more start-ups" in the field of software 
security, he said, "and you can look at 
these tools as part of the retraining. It's 
almost computer-aided education." 

As the Baby Boomers hit retirement 
age and their concerns shift from such 
things as software security to Social 
Security, it is critical that the U.S. gov- 
ernment and companies with a big 
stake in the future of IT address this 
issue with a big infusion of money and 
classroom training. This will help keep 
them competitive, and help keep us all 
working. I 

David Rubinstein is editor of SD Times. 



BUSINESS BRIEFS 



Technology research and analysis company Gartner has agreed to acquire rival 
Meta Group for about US$162 million in cash, the companies have reported. The 
deal is expected to close by midyear. The acquisition continues a trend of consol- 
idation in the research space; in 2003, Forrester Research acquired Giga Infor- 
mation Group for US$51 million. Gartner reported revenue of $638 million in the 
first nine months of 2004, but saw its net income drop 30 percent to $12 million 
in that same time . . . Sterling Commerce will acquire order management and 
supply chain fulfillment solution provider Yantra for about US$170 million in cash, 
according to Sterling, which plans to operate Yantra as a new business division. 
Sterling said it is executing on its multi-enterprise collaboration strategy, which 
essentially extends integration and collaboration beyond a company's firewall to 
let customers create integrated and synchronized supply chains. The transaction 
is expected to be completed in the first part of 2005. 

EARNINGS: PalmSource has reported revenue of US$19.2 million for the sec- 
ond quarter of 2005, ended Nov. 26, compared with $16.8 million for the same 



period a year earlier. Net income for the quarter was $2.1 million, or 14 cents per 
share, compared with a net loss of $9.1 million, or 89 cents per share, in 2004. 
"Although we generally performed to our financial expectations during the sec- 
ond quarter, we are not satisfied with this performance," said David Nagel, pres- 
ident and CEO of PalmSource, in a statement. "However, we did see some encour- 
aging signs for our future, as in aggregate, our licensees reported shipping the 
largest number of Palm Powered smartphones for any quarter, and we continued 
to see a larger portion of our business come from that category. We also saw 
growth in the Palm Powered Economy, as we added three new partners for our 
Palm Powered Mobile World Program, signed three new ODM partners in Asia and 
three of our licensees introduced new smartphones worldwide." For the third 
quarter ending Feb. 25, PalmSource expects revenue will be about $18 million, 
plus or minus 5 percent . . . Business integration software vendor TIBCO Soft- 
ware reported revenue for fiscal-year 2004 of US$387.2 million. Revenue for the 
fourth quarter was $125.7 million, while GAAP net income for the quarter was 
$18.2 million, or 8 cents per share. I 



CALENDAR OF EVENT* 



0SDL Enterprise Jan. 31-Feb. 2 

Linux Summit 

Burlingame, Calif. 

OPEN SOURCE DEVELOPMENT LABS 

www.osdllinuxsummit.org 

Web Services on Wall Street Feb. 1-2 

New York 

FLAGG MANAGEMENT & LIGHTHOUSE PARTNERS 

www.webservicesonwallstreet.com 

VSLive Feb. 6-10 

San Francisco 

FAWCETTE TECHNICAL PUBLICATIONS 

www.ftponline.com/conferences/vslive/2005/sf 



LinuxWorld Conference 
&Expo 

Boston 

IDG WORLD EXPO 

www.linuxworldexpo.com 



Feb. 14-17 



Web Services Edge 
2005 East 

Boston 
SYS-C0N MEDIA 

sys-con.com/edge2005east 



Feb. 15-17 



SHARE 

Anaheim 
IBM 

www.share.org 



Feb. 27-March 4 



EclipseCon Feb. 28-March 3 

Burlingame, Calif. 

ECLIPSE.ORG 

www.eclipse.org/eclipsecon2005/eclipsecon.html 



Embedded Systems 
Conference 

San Francisco 
CMP MEDIA 

www.esconline.com/sf/index.htm 



March 6-10 



Software Engineering March 7-10 
Process Group Conference 

Seattle 

CARNEGIE MELLON UNIVERSITY 

SOFTWARE ENGINEERING INSTITUTE 

www.sei.cmu.edu/sepg 



Software Development 
Conference & Expo 

Santa Clara 
CMP MEDIA 

www.sdexpo.com 



March 14-18 



Software 
Security Summit 

San Diego 
BZ MEDIA 

www.S-3con.com 



April 12-14 



MySQL Users Conference April 18-21 

Santa Clara 

MYSQL AB AND O'REILLY MEDIA 

www.mysgluc.com 

For a more complete calendar of U.S. software devel- 
opment events, see www.bzmedia.com/calendar. 
Information is subject to change. Send news about 
upcoming events to eventsiabzmedia.com. 



SD TIMES WCB SEMINARS 



Solving the Top Four Jan. 19 

Problems of Global Distributed 
Software Development 

Time: 10:00 a.m., Pacific (1:00 p.m. Eastern) 
COLLABNET AND SD TIMES 

www.sdtimes.com/seminar.htm 

Successful Strategies Feb. 10 

To Develop More Secure Software 

Time: 11:00 a.m., Pacific (2:00 p.m. Eastern) 
KL0CW0RK AND SD TIMES 
www.sdtimes.com/seminar.htm 

For a more complete calendar of SD Times Web 
Seminars, see www.sdtimes.com/seminar.htm 
Registration is free. 
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ADVERTISEMENT 



Software FX Puts Chart FX Right In Your Pocket 

Leading charting technology now available for the .NET Compact Framework and Smart Device applications. 
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